Team Parallax Whitepaper

roothack.org

by Team Parallax

This is taken from http://lockeddown.net/wargames/defense.txt 
Thanks

Defensive Write up.

Writeup of the defense by team paralax(cryptix, josh, jp, slider, lockdown)

Defense is where we figured we would be strong and planned on putting
most of our efforts. We did the usual -s'ng of suid's we didn't need. 
We made a trusted group so only we could use certain suid's. We took the
unneccessary daemons. Replaced apache with thttpd. Downgraded ssh to
version 1 because vandals team claimed to have a ssh 2 exploit that later
turned out to be a trojan. Our ssh1 session should have been sniffable
with dsniff although i've never tried but we should have had been warned
if that happened. I found that the ssh1 advisory included a patch and was
gonna upgrade to the last ssh1 and apply it later. We had upgraded the
kernel to 2.2.19 and were working on upgrading glibc which is a pain in
the ass. We switched to nklogd. We ran a decoy daemon (decoy.c) I made
which was suppose to look like a backdoor and look like it was vulnerable
to an overflow. No one messed around with it though, even if it was
vulnerable you have about no chance of producing an exploit since they
didn't have copys of the source or binary. We ran the latest version of
proftpd but changed the version string to show that of a prior version
that had a known exploit. We hadn't allowed anonymous logins yet, we were
planning on it later. Either way they fell for that and were trying to
use stfu.c to exploit us. I think that is about all, we had more stuff
planned but this didn't last as long as we thought it would.


Offensive Write up http://lockeddown.net/wargames/offense.txt

Writeup of the offensive by team Parallax (cryptix, pj, josh, slider, lockdown)

We are a team of "whitehat" hackers, none of us have hacked illegally, 
only participated in wargames in the past. We dont really have any 0day 
links and none of us were working on any current holes at the time of the 
wargame. We figured we would play a defensive game and hold our ground for 
the most part. Knowing no one would run daemons with known 
vulnerabilities and not having time to audit already heavily audit'd 
programs we decided to take a different approach. Epic had created an 
account on our box so we made the assumption that he had an account on all 
the wargames. Slider came up with the idea of trying to crack epics passwd 
on our box with john. It didnt crack with any wordfiles so we went to work 
on backdooring our sshd to log all passwds on login and slider went off 
and tried to guess epics passwd on vandals box. Before I even had a chance 
to compile my mods slider had already rooted vandals box. Slider guessed 
epics password an used a public exploit to exploit xlock via format string 
and took root on vandals box. Then we al jumped over to that box and tried 
to lock it down and lock them out. Vandals team was only running telnetd. 
a_d's team happened to be sniffing and noticed epics password go across 
the wire and before we knew it they were on and trying to take over. We 
had one person dedicated to killing the intruders while we worked on 
getting ssh installed. We couldnt changed the passwords because they would 
be sniffed so we encrypted passwords on our personal box's and copied them 
to /etc/shadow. That was if we got disconnected we could get back in and 
would have to change the password really fast.

Then it was looking like a stalemate between a_d's team and ourselves. I 
was talking with pir8 on irc and he mentioned that his ssh password was in 
their sniffer logs. I told him his must be telneting to the gateway and 
ssh'ing to his box and he was like yeah but I use different passwords for 
each box and at that point I wisely shutup. We setup a sniffer and started 
watching, we got pir8's pass and the root pass and kept watching. After 
login he ran ./c and when he did w no one showed up, we knew logs were 
being cleaned. In ps we saw a perl script running so we made sure we 
killed that when we got in. We waited for activity to die down and then we 
made the hit on their server, and swiftly overtook it. Not exactly the 
most exciting hacks but it was about the only chance we had offensively so 
we siezed it.

___________
lockdown