Team DefunctIfIKno Whitepaper

roothack.org

by Team DefunctIfIKno

Security White paper notes.
------------------------------

First we chmodded gateway directories to 700, for local security. We wanted what code we uploaded to the gateway to be secure.

Uploaded updated packages including kernel, new gcc, libraries required for our sniffer, some code we had been working on.

Installed latest ssh.

Removed Suid Bits on files, We decided to teach bl00k how to do this as he needs to do it to his own server.

Set up DIR security and layout. Decided what was going where, hidden and not.

Installed a rootkit finder we coded, nothing special, checked insmod, checked lsof output for listening ports, compared ps etc....

Taught bl00k how to remove suids... and world writeable dirs.

Installed new kernel.. 2.2.20-1

Ports scanned, shut down all ports not being used by services we needed.

Backdoord the machine with two suid doors, two bound shells on boot that were passwd protected.

EPiC got crafty late into the night and decided to try his c kung foo writing a door that would allow him to ping the machine with a certain packet size, and it would then copy our passwd and shadow and a few other files from /dev/junk where we hid them. The idea was to have the machine overwrite changes made in a compromised situation and reboot the machine with our pre-existing configuration. This later lead to our demise as EPiC again learned his c skills suck. Team zion found this door attempt, and used it to get root.

<phr0st insert>

EPiC and Phr0st continued ARP sniffing MAC's of hades and other boxes in the games in a futile attempt to find someone's screwing up. But all that was found via this method was SSH encrypted sessions with up to date SSH daemons and EPiC's hack3r bot. All in all the boxes were tight. Phr0st installed apache (helping Bl00k install it on his server) and he and EPiC were trying to get a mod_test apache backdoor installed via DSO, but it never panned out.

</phr0st insert>


Our mission was mostly to try our own code, and teach bl00k as we learned ourselves. We had a great time, learned a lot of interesting things, (sorry about stealing your MAC address bl00k, you can have it back) and would play again any day.


<bl00k insert>

I don't think I did too much to help, but there were a few times I was useful. I mostly monitored our system to see if anyone was trying to gain access to it. I did catch someone and then let epic deal with them ;) I'm glad I could be a guinea pig for phr0st. I still can't believe he stole my MAC address. Phr0st also helped me setup and configure Apache, which was nice of him. :) I had a good time and learned things I didn't know before. I agree with Epic, that one of the best parts about it was just being together with good friends. It was a wonderful weekend. From Friday night to Monday morning I saw the sun a total of 20 minutes.

</bl00k insert>
Epic - Owner of Hack3r.com