▄▄ ▄▄ ▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄ ▄▄ ▄ ▄ ▄▄▄ ███▄ ██ █ █▄▄▄ █ ▄▄▄ ███▄ ██ █ █ █ █ HTP5 ██ ▀█▄██ █ ▄▄▄█ █ ██ ▀█▄██ ▀▄▀ █▄▄▀ ██ ▀██ ██ ▀██ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ GILL However, we have come to believe that one 'HTP' is involved in the NVD breach. They or perhaps an accomplice of theirs have a disk that Mr. Belford needs. We want you to help us find it. \ ░░▒▒▓▓▓▓▓▓▓▓▓▒▒░░ ░▒▓███████████████████▓▒░ ░▒▓█████████████████████████▓▒░ ░▓████████▓▓▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓█████▓ ░▓█████▓▓▓▓▒▒▒░░░░░░░░░░▒▒▒▒▒▓▓▓███▓ ░▓████▓▓▓▒▒▒▒▒▒▒░░░░ ░░░░░▒▒▓▓▓██▓ ▓████▓▓▒▒▒▒▒▒░░░░ ░░▒▒▒▓▓▓██▒ ▒████▓▓▓▒▒▒▒▒░░░ ░▒▒▒▓▓▓██ ▓████▓▓▒▒▒▒▒▒░░░ ░░▒▒▒▓▓▓█░ █████▓▓▒▒▒▒▒░░░ ░░▒▒▒▓▓█▒ ████▓▓▒▒▒▒▒▒▒▒▒░░ ░░▒▒▒▒▓▓▓▓ ███▓▓▒▒▒▒▒▒▒░░░ ░░░░▒▒▒▓▓▓▓ ▓█▓▓▓▒▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▄░ ░▄▓▓▓▓▓▓▓▓▓█▓▓▓ ▓▓▓▓▓▓▓▓▓▓█▓▓▓▓▓▓▓▓▓▓▓█▒▓▒▓▒▓▓▓▓▓▓▓▓▓▓█▓█░ ▒▓▓▓▓▒▒░░▒█▓▓▓▓▓▓▓▓▓▓█░▒░░▒▓▓▓▓▓▓▓▓▓▓▓█▓▓ ░▒▓▓▒▒▒▒░░▒▒█▓▓▓▓▓▓▓▓▓█░▒░░░▒▓▓▓▓▓▓▓▓▓▓█▒▓░ ▒▒▒▒▒▒▒▒▒▒▒░░▀▀▀▀▀▀▀ ░▒░░ ░▒▒▒▀▀▀▀▀▀▒▓▓▓▒ ░▒▒▒▒▒▒▒▒▒░░ ░░░ ░░▒ ░░▒▒▒▓ ▒▒▒▒▒▒▒▒▒▒▒░ ░░░░░ ░░░░░ ░░▒▓▒ ░▒▒▒▒▒▒▒▒▒░ ░░░░░ ░▒░░░ ░▒▒▓ ░▒▒▒▒▒▒▒▒░░░░ ░░░░▒▒▒▒░░░░░▓▓▒░░ ░░░▒▓▓ ░░▒▒▒▒▒▒░░░░░░▒▒▓▒░░░░░░░░░░░▒▓▓▓▒░░▒▒▓▓▓░ ░▓▒▒▒▒▒░░░░░░░▒▓▓▒░░░ ░░▒▓▓▓▓▒▒▒▓▒▓░ ▓▓▓▒▒▒▒░░░░░░▒▓▒░░ ░░░░ ░░░░░▒▒▓▓▒▒▒▒▒▓ ▓▓▓▓▒▒▒░░░▒▒▒▒░ ░░▒▒▓▒▒▒▒▒░░▒▒▒▒▓▒▒▒▒▓▒ ▓▓▓▓▓▒▒▒▒▒▒▒▓▒ ░░░░░░░░ ░▒▒▒░░▒▓▒▒▓▓ ▒▓▓▓▓▓▒▒▒▒▒▒▓▒░░░░ ░░░░░░░▒▒▒▒▓▓▒▓▓▒ ░░▒▒▓▓▓▓▒▒▒▒▒▒▓▒░░░ ░░▒▒▓▓▓▓▓▓▓ ░ ▒▒▓▓▓▓▒▒▒▒▒▓▓▒▒░░░ ░░▒▒▒▒▓▓▓▓▒▓ ░▒ ░▒▒▓▓▓▓▒▒▒▒▓▓▒▒▒░ ░▒▒▒▓▓▒▓█▓▒ ░░ ░██░ ░▒▒▓▓▓▓▒▒▓▓▓▓▓▓▒▒▒▒▒▓▓▓▓▒▓▓▓▓▒ ░ ▒████░ ░▒▒▓▓▓▒▒▓▓▓███████▓▓▓▓▓▓▓▓▒ ▓▒░ ▒▓██████▒ ░▒▒▓▓▓▓▓▓▓█▓▓▓██▓▓▓▓▓▒▒▒ ▓███▓▓▒▒░░ ░▒▓██████████▓ ░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▒▒▒▒▒ ░██████████▓▓▓▒▒░░ ░▒▓███████████████▓ ░░░░▒▒▒▒▒▒▒▒░░▒░ ▒█████████████████▓▓▒ ░▒▓▓████████████████████▓░ ▓▓▓▓░▓▓▓░░░ ████████████████████ ██████████████████████████▓░ ▓▓▓▓▓▓░ ▒███████████████████ ████████████████████████████▒ ▓▓██ ▓██████████████████ █████████████████████████████▒ ████ ░██████████████████ ██████████████████████████████▒ ▀████ ▒█████████████████ ███████████████████████████████▓ █████ █████████████████ ████████████████████████████████▓ ██████ ▒████████████████ █████████████████████████████████▓ ███████ ▓███████████████ ██████████████████████████████████▓░ ████████ ░▓██████████████ ████████████████████████████████████░ ▓████████ ▒██████████████ █████████████████████████████████████░ █████████ ██████████████ ██████████████████████████████████████▒ █████████ ▓█████████████ ███████████████████████████████████████▒ ██████████ ░█████████████ ████████████████████████████████████████▓ ▒██████████ ▓████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ About 8 months ago, we were monitoring our intel (tail -f'ing PM logs from other networks) and came across an individual who was pretty skilled with ColdFusion. After due time, we invited him/her to HTP. He/she ended up manifesting the NULL RDS 1day POC, which owned the NVD. The NVD realized they were breached, and deleted the shells. Soon after, they were shelled again. They deleted the shells again. Once again, they were shelled. The DHS CSD was swift and unrelenting with their execution of the DELETE key. As fun as this was, the rest of HTP acknowledged what had been breached. We switched tactics and proceeded to traverse the National Vulnerability Database network. Two boxes down, we downloaded the CFM scripts and certificates hosted within the NVD and NISTWEB servers. From them, we were able to authenticate ourselves to access the DHS NIST/NVD user database (root slash period workspace slash period garbage period). Not knowing what to do, and realizing their DELETE key training had abandoned them, the DHS CSD resorted to shutting the entire site down. It is our theory their inspiration for this technique came from an NCIS episode: http://www.youtube.com/watch?v=u8qgehH3kEQ Included in this segment of HTP5 is the DHS NIST/NVD user database, along with two certificates and their ColdFusion admin password.properties. Enjoy. ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ~ http://mirror.hack-the-planet.tv/HTP-5/NVD/NVD.zip |- 0MB | DHS NIST/NVD user database, two certs, CF admin password.properties ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄