Hacking Counter Strike Server or Security? No, have not heard!"
Good day.
With the advent of various services that provide hosting services for game servers, many who wish to build their own server have appeared, and in some cases, security issues remain ignored.
A couple of months ago, looking through the list of servers looking for “where to play,” I discovered a server, the title of which contains threats to those who will use cheats.
The initial plan matured very quickly: we generate the SteamID administrator, have fun with cheats on the server, with immunity.
I learned how to generate SteamID while I was writing VoiceCodecFix, a module that allows you to communicate with players who have not updated Counter Strike. About it and about the loading of asi-modules, I, most likely, will tell you another time.
')
Having logged on to the server with the administrator account and finding that I have access to amx_rcon, I already thought that I had access to the account of the main administrator, however, everything cleared up a little later.
There are rights that are granted by the AmxModX module, they are set with flags (au) , the flag z is a regular player.
Which flag is responsible for what, you can see here .
An administrator with the amx_kick, amx_ban, etc., etc. flag cannot influence the player who has the immunity flag.
Also, there is access provided by the RCON-password (Remote Console, as I understand it). I think the analogy with the ssh key would be appropriate here. In general, giving it to everyone is not a good idea.
This is, in fact, direct access to the server console.
The amx_rcon command somewhat facilitates the use of Rcon-a, but also has a “reverse side of the coin”. The administrator who has access to this command has access to amx_showrcon , with which you can learn RCON-password. They differ in that amx_rcon does not output the result of execution to the console, and amx_showrcon - outputs.
The code responsible for amx_rcon looks like this:
Read what the server wrote in his console and bring it back to the player using AmxModX means is not possible.
The amx_showrcon command actually replaces 2 standard commands for which the engine is responsible, and for which the modules are not needed:
rcon_password _ password_
rcon _ team_
That is, after using this command, it is enough to see what the rcon_password value has become to find out the RCON-password of the server. Recognizing it is possible:
1. Change the server settings (Set gravity 10 million, they said, it's fun, they said)
2. Rename the server.
3. Kick players, even those who have immunity ( rcon kick #userid ).
4. Change the map to your discretion ( rcon changelevel _mapname_ )
5. Change the result of voting for the next map ( rcon amx_nextmap _mapname_ )
6. Ban on behalf of the server
... in short, create all sorts of ugliness.
Having looked at the amx_who team , what rights were granted to whom ... well, it was not the account of the main administrator. They put all available flags to all administrators.
As a test, I decided to kick one administrator who was loudly cursing on the server and making it difficult to play, writing “shut up” for a reason. About this “incident” he immediately created a topic in the server group, saying “someone is kicking me”.
The chief administrator did not think of anything better than removing access to amx_kick from all administrators.
Since it is quite simple to fake SteamID, I decided to write about this to the chief administrator who was engaged in setting access rights. In response, I received, "Since you are so smart, why have you not bought an admin area from us yet?" (Really...)
In general, after a vivid demonstration of the ability to kick administrators using rcon , instead of somehow restricting access to amx_rcon from administrators, he gave me a ban by IP-address, “so that you don’t go where you don’t need”.
This is what they now thank for the found vulnerability.
Well, well, we write a small script that kicks all players from the server and closes the server with a password. Fun, reliable.
Again, instead of removing access to the Rcon-password from admins, the main admin decided to transfer them to access using the nickname-password combination
Nobody thought about changing the RCON-password.
Now it has become fashionable to keep a separate web page with a list of players banned on the server.
This list is formed from the MySQL table, the data in which AmxBans plugin enters.
Also, AmxBans allows you to store information about admins not in the users.ini file, but in the same database.
Data for access to this database is written in kvarah (CVar) server. They can be read with rcon amxx cvars
We are interested in the values:
amx_sql_host
amx_sql_user
amx_sql_pass
As a way to communicate with the database, I traditionally use SQLYog
The database belonged to a game hosting and was configured to access only from trusted IP addresses.
SQLYog can use the HTTP tunnel to access the database, for this it is enough to throw SQLyogTunnel.php on the desired resource and point the path to it.
I had to fork out a bit and buy a server and a page for AmxBans on the same hosting. Everything about everything is 200 rubles.
In AmxBans, all passwords are stored as MD5 hashes. There were about 50 of them in total, while almost all of them were decoded using the service for decoding various hashes as they consisted of 7-8 digits without using any alphabetic characters.
There are very few people involved in setting access rights for direct editing of the database, so on the AmxBans web page, you can login under the administrator account and set permissions through a convenient web interface.
There were 3 admins there. Their passwords are also stored in the form of MD5 hashes, but one had a long and seemingly strong password, but it consisted of frequently encountered words and a year, the other had a birth date. The third password was decrypted in about an hour.
Of course, I will not inform the administration about this anymore; moreover, when I reported the vulnerability for the first time, I was told that because I had found the vulnerability and informed the administration about it - “you understand the trust itself is lost” . (Well, yes, indeed, it was necessary to use it and not to tell anyone about it :))
PS: Apparently, they did not draw any conclusions. There began to appear new administrators with the rights "abcdefghijklmnopqrstu", and again these rights are granted on SteamID.
PPS: Even before moving on to the “active phase of action” with the generation of the administrator's SteamID, I offered them my free help to correct some flaws in the plugins. In response, I was told something like "we do not need shkolota help."
With the advent of various services that provide hosting services for game servers, many who wish to build their own server have appeared, and in some cases, security issues remain ignored.
A couple of months ago, looking through the list of servers looking for “where to play,” I discovered a server, the title of which contains threats to those who will use cheats.
The initial plan matured very quickly: we generate the SteamID administrator, have fun with cheats on the server, with immunity.
I learned how to generate SteamID while I was writing VoiceCodecFix, a module that allows you to communicate with players who have not updated Counter Strike. About it and about the loading of asi-modules, I, most likely, will tell you another time.
')
Having logged on to the server with the administrator account and finding that I have access to amx_rcon, I already thought that I had access to the account of the main administrator, however, everything cleared up a little later.
A small digression about access rights in Counter Strike
There are rights that are granted by the AmxModX module, they are set with flags (au) , the flag z is a regular player.
Which flag is responsible for what, you can see here .
An administrator with the amx_kick, amx_ban, etc., etc. flag cannot influence the player who has the immunity flag.
Also, there is access provided by the RCON-password (Remote Console, as I understand it). I think the analogy with the ssh key would be appropriate here. In general, giving it to everyone is not a good idea.
This is, in fact, direct access to the server console.
The amx_rcon command somewhat facilitates the use of Rcon-a, but also has a “reverse side of the coin”. The administrator who has access to this command has access to amx_showrcon , with which you can learn RCON-password. They differ in that amx_rcon does not output the result of execution to the console, and amx_showrcon - outputs.
The code responsible for amx_rcon looks like this:
public cmdRcon(id, level, cid) {// id , . . if (!cmd_access(id, level, cid, 2)) return PLUGIN_HANDLED// , . new arg[128], authid[32], name[32] read_args(arg, 127) get_user_authid(id, authid, 31)// SteamID . get_user_name(id, name, 31)// . log_amx("Cmd: ^"%s<%d><%s><>^" server console (cmdline ^"%s^")", name, get_user_userid(id), authid, arg)// , - RCON-. console_print(id, "[AMXX] %L", id, "COM_SENT_SERVER", arg)// , , - " ". server_cmd("%s", arg)// . return PLUGIN_HANDLED } Read what the server wrote in his console and bring it back to the player using AmxModX means is not possible.
The amx_showrcon command actually replaces 2 standard commands for which the engine is responsible, and for which the modules are not needed:
rcon_password _ password_
rcon _ team_
public cmdShowRcon(id, level, cid) { if (!cmd_access(id, level, cid, 2)) return PLUGIN_HANDLED new password[64] get_pcvar_string(rcon_password, password, 63)// CVar "rcon_password" if (!password[0]) { cmdRcon(id, level, cid) // RCON- , amx_rcon } else { new args[128] read_args(args, 127) // client_cmd(id, "rcon_password %s", password)// rcon_password client_cmd(id, "rcon %s", args)// . } return PLUGIN_HANDLED } That is, after using this command, it is enough to see what the rcon_password value has become to find out the RCON-password of the server. Recognizing it is possible:
1. Change the server settings (Set gravity 10 million, they said, it's fun, they said)
2. Rename the server.
3. Kick players, even those who have immunity ( rcon kick #userid ).
4. Change the map to your discretion ( rcon changelevel _mapname_ )
5. Change the result of voting for the next map ( rcon amx_nextmap _mapname_ )
6. Ban on behalf of the server
... in short, create all sorts of ugliness.
Having looked at the amx_who team , what rights were granted to whom ... well, it was not the account of the main administrator. They put all available flags to all administrators.
As a test, I decided to kick one administrator who was loudly cursing on the server and making it difficult to play, writing “shut up” for a reason. About this “incident” he immediately created a topic in the server group, saying “someone is kicking me”.
The chief administrator did not think of anything better than removing access to amx_kick from all administrators.
Since it is quite simple to fake SteamID, I decided to write about this to the chief administrator who was engaged in setting access rights. In response, I received, "Since you are so smart, why have you not bought an admin area from us yet?" (Really...)
In general, after a vivid demonstration of the ability to kick administrators using rcon , instead of somehow restricting access to amx_rcon from administrators, he gave me a ban by IP-address, “so that you don’t go where you don’t need”.
This is what they now thank for the found vulnerability.
Well, well, we write a small script that kicks all players from the server and closes the server with a password. Fun, reliable.
Again, instead of removing access to the Rcon-password from admins, the main admin decided to transfer them to access using the nickname-password combination
Nobody thought about changing the RCON-password.
Part two, we get access to MySQL from AmxBans server
Now it has become fashionable to keep a separate web page with a list of players banned on the server.
This list is formed from the MySQL table, the data in which AmxBans plugin enters.
Also, AmxBans allows you to store information about admins not in the users.ini file, but in the same database.
Data for access to this database is written in kvarah (CVar) server. They can be read with rcon amxx cvars
We are interested in the values:
amx_sql_host
amx_sql_user
amx_sql_pass
As a way to communicate with the database, I traditionally use SQLYog
The database belonged to a game hosting and was configured to access only from trusted IP addresses.
SQLYog can use the HTTP tunnel to access the database, for this it is enough to throw SQLyogTunnel.php on the desired resource and point the path to it.
I had to fork out a bit and buy a server and a page for AmxBans on the same hosting. Everything about everything is 200 rubles.
In AmxBans, all passwords are stored as MD5 hashes. There were about 50 of them in total, while almost all of them were decoded using the service for decoding various hashes as they consisted of 7-8 digits without using any alphabetic characters.
There are very few people involved in setting access rights for direct editing of the database, so on the AmxBans web page, you can login under the administrator account and set permissions through a convenient web interface.
There were 3 admins there. Their passwords are also stored in the form of MD5 hashes, but one had a long and seemingly strong password, but it consisted of frequently encountered words and a year, the other had a birth date. The third password was decrypted in about an hour.
Of course, I will not inform the administration about this anymore; moreover, when I reported the vulnerability for the first time, I was told that because I had found the vulnerability and informed the administration about it - “you understand the trust itself is lost” . (Well, yes, indeed, it was necessary to use it and not to tell anyone about it :))
PS: Apparently, they did not draw any conclusions. There began to appear new administrators with the rights "abcdefghijklmnopqrstu", and again these rights are granted on SteamID.
PPS: Even before moving on to the “active phase of action” with the generation of the administrator's SteamID, I offered them my free help to correct some flaws in the plugins. In response, I was told something like "we do not need shkolota help."
Source: https://habr.com/ru/post/197728/
All Articles