Booze, Nosiness, and City Terminals
by th3linguist (th3linguist@googlemail.com)
0x00: Mother Tongue
English is not my mother tongue. So if you stumble across strange formulations, have a laugh or figure out which language is my mother tongue. If you are right, maybe I will send you a prize.
0x01: Preamble
Do you know this situation: You walk through a park or a city in the midday sun, with swollen eyes from last night's boozing.
Birds are singing, head is ringing, and passing cars are honking - and you swear to yourself: Never again will booze touch my throat! Never! Ever! Again!
O.K., so far, so familiar, and a few weeks ago that was th3linguist's status - and because of that he had a collision with a city terminal.
So, let me explain what a city terminal is.
I live in a district town in the south of Germany (hint!). We have a palace there and a nice pedestrian area with a lot of shop windows and flower tubs. In 2005 the city council decided to do something for the tourists and assigned an IT company to install four information terminals in the city.
The first generation consisted of a desktop PC, built into a control box with three displays on top of it for ads and another display with a keyboard for user control.
As a tourist (or a being with fingers), you can enter search terms ("Where is the next cinema?" "Where is a drugstore?" ...), send photo e-cards, and even print out a city map. Nice idea!
But in 2005, I wasn't really interested in exploring the technique behind it. I had to deal with a disappointing love affair and with a job and and and... (crazy time).
0x02: Nosiness
In 2009 the IT company was assigned to modernize the terminals.
They constructed four new city terminals with one big touch screen (we seem to be the i-generation). There is still a cam to take photos and send them via email, the printer function is not any more, and the UI is now shiny and very, very colorful.
On that hangover day, I walked the pedestrian area with a headache. Suddenly I stood in front of one of these terminals and said "Hello! Could you please step aside!" It didn't. So I touched the screen and played a little bit with it. Nothing special. No Internet browser, no porn, no access to the mayor's mail account. But now I was nosy.
I wanted to know how these terminals worked and I thought it would be great to show some nasty pics on the display. As you can imagine, there isn't a button called "Publish own content" or something. So I started thinking...
0x03: Getting in Touch
How to get remote access to the terminals?
Well, I took a photo, sent it to a garbage mail service, and rushed home. In front of my computer I downloaded the e-mail, opened it with a text editor, and read the email header. Et voilà, there was the sender's IP address.
I started Vidalia, configured my browser properly, and surfed to the IP. What would happen? I saw the same UI as on the city terminals.
A first conclusion: Mail server and web server are using the same address.
Furthermore, the city terminals are not standalone, they are just clients. I needed more information.
I started gathering it using WHOIS and reading the website of the IT company. On their site they stated that they were using their own content management system called mcOne4all.
Not much information about that on the net, but they were offering a test account on a server. To get a test login, I would have to give them a valid mail address and telephone number. No way!
0x04: Going Deeper
So I surfed back to the terminal's web server.
The URL looked something like this: bk.interXXXXXcity.de/de/5
I did a right-click on an image and selected "Show Image". The URL of that looked like: bk.interXXXXXcity.de/images/user1.gif
Bang! From the ID (bk.interXXXXXcity.de/de/5) to the real path. I started the beloved Bash and gave a Torify Wget a chance:
I had to wait about 45 minutes, but then I had a mirror of the website. I created an empty file and did a:
All right, there was one file with all the good content. Again, I used the Linux onboard tools:
The file links.txt should now contain all accessible, absolute links on the webserver.
After a little bit of handicraft (grep, grep, and more crap), I found a link to: bk.interXXXXXcity.de/mcCMS
Well, obviously. That site redirected me to a login form. Not so interesting at the moment. I focused on another link: bk.interXXXXXcity.de/mcCMS/editor
There was no way I could start the editor directly via an *.html or *.php. But... directory listing was enabled!
0x05: Climax
O.K., to cut a long story short: In the directory bk.interXXXXXcity.de/editor/popups, I found a complete listing of the parts that are composing the admin interface - without access control. Lovely!
0x06: Cleanup
Why I wrote this article?
I think it is an example of the old fashioned way of hacking.
Be nosy, be creative, be - well - nasty!