Team Zion Whitepaper

roothack.org

by Team Zion

Our machine, Erebus, was running Red Hat 6.1 with the 2.2.13 Linux Kernel. We removed the set[ug]id bits on all the binaries except su. We removed execute privileges for "other" and changed the group to zion. All team members were added to the zion group, however we did not add the staff accounts to this group just in case. We re-mounted all the partitions except root nosuid, nodev and the home and var partitions were additionally mounted as noexec (BOFH style ;). There was not a separate partition for tmp so we removed the directory and symlinked it to /var/tmp. A kernel module which removed ptrace capabilities was compiled and insmod'd to keep us from getting rooted through a kernel hole. All the services except sshd were killed and disabled. We compiled and installed sniffit, ettercap, secure sniffer, pcap, nmap, ncurses, ippl, arpoison, netcat, libnet, etc.. One might ask why we installed so many different sniffers and protocol loggers and that really comes down to variations in preference among the team members. I installed the fake pop3 daemon and my httpd which we used in the previous rootwars and started up various internal services of the Internet Super Server such as echo. I installed vsftpd and redby setup postfix to run chrooted. I did an rpm -Va to checkout the packages and noticed that passwd and the passwd PAM module checksums failed. This made me paranoid so I upgraded the RPMS for critical pieces of the system which required a few upgrades of rpm itself (no fun!). Once we had our system configured we fixed the initialization scripts so that our configuration would remain intact after a reboot. To break most exploits and retard a takeover we used chattr to make just about all of the file system immutable. To further solidify our configuration we took advantage of the Linux Capabilities to remove CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE, CAP_LINUX_IMMUTABLE, CAP_SYS_ADMIN and a few others. This ensured that not even root could change the configuration without rebooting the system. We did leave the reboot option open in case we needed to make a change since disabling CAP_SYS_BOOT effectively forces one to hard reboot!


As soon as Open Season kicked off everyone fired up their favorite sniffer and soon after redby and jduck sniffed Team Swinger's FTP sessions and swiftly took over their box with a ptrace exploit. Team Monkies Anonymous and Team Offset were only running one service, the latest commercial Secure Shell, so we decided to give them a dose of our ARP spoofing kung-fu. jduck wrote a nicer password logging hack for sshd while I played around with arpoison until I achieved the desired effect. From what I can tell, if the ARP table is locked with hard coded entries arpoison does not work. This is just my assumption. In order to setup a few things we needed for our attack we had to change some of the file system which was immutable even to root because we had revoked the privileges. I realized that no one had setup sshd to start on boot so if we rebooted we'd be locked out of our machine. jduck setup a cron job; I rebooted the system and the cron job fired up sshd about a minute later (high fives all around). jduck setup everything for the password snatching attack. Once I removed the entries for Hades and Orion from our ARP table we were able to hijack their IPs. qubit detected our attack and announced to the #roothack channel that Zion was ARP spoofing and to beware. Unfortunately for Team Offset, Atnnn was not listening and tried to login which gave us his password. jduck spoofed the main gateway and with some tweaking of our ARP tables managed to connect to Orion while people on Acheron were still getting directed to our machine. He rooted it quickly with a local ptrace exploit and created a connect-back root shell using only bash.

Sometime after we rebooted to regain privileges and after setting up sshd to launch on boot I got to playing around with the privileges again. I had read on the lcap site that it was possible to reset the Linux Capabilities to full by writing to the address of cap_bset in /dev/mem if CAP_SYS_RAWIO had not been revoked. So I started hacking some code and then jduck hacked at it a bit and we had a nice program to reset privileges in a pinch. I do not think any of the other teams posed a threat but if they had by some means gained root access I was confident that they would not be able to reset the Linux Capabilities. And even if they were capable I knew it'd buy us enough time to patch the hole before they could perform such a feat. While I was checking out the system during the Grace Period I noticed that EPiC had left a shell script in /root which configured various things for the RootWars systems. One of the steps caught my eye. Every team's box was setup to log all messages to Acheron. I grep'd /etc/services for syslog and found out it was sending traffic on udp port 514. After unsuccessfully trying to get super sniffer to grab the syslog transmissions jduck setup tcpdump and later coded a really nice syslog sniffer. With this we were able to determine quite a bit about our opponents operating system, configuration, users, and more. Inevitably passwords end up getting logged due to typos and that's mainly what I was looking for but it never happened.

Conclusions, MVP for this game was jduck. Although he said these games were lame and boring a few times I think he might have actually had some fun-- I know I did. Hopefully he'll play with Zion again in the future although he expressed an interest in forming a team to dethrown us. The funniest part of the games was qubit's outburst after we rooted his system! For some time I think he really believed we were lying and trying to Social Engineer him. Pasting the contents of his $HOME seemed to get the point across. Although this was not the most exciting RootWars for me I did learn a lot by working with jduck and we made some code that I would not have otherwise thought to create. Finally, I have to give credit to the rest of our team members for helping out as they could. Since this game started midweek they were mostly involved with their studies and work.

Good game

core - Team Zion