Dynamic Duo Whitepaper

roothack.org

by Dynamic Duo

Team Name: Dynamic Duo Members: CODE_POET, asdf System: orion OS: Linux Mandrake 8.0 Kernel 2.4.3-20mdk ----------------------------------------------------------------------- (paper by CODE_POET) Open Season: The first thing we did was to document the os and version, Mandrake 8.0 Linux 2.4.3-20mdk, next we saw that there were 3 unused partitions, so we mounted the as /home and /var. The other unused partition was about 15 megs, we didnt feel like haveing a boot partition so we left it empty. We symlinked /tmp to /var/tmp since they are both varying data (why waste another partition?), mounted /home as rw, noexec,nosuid- var r,noexec,nosuid- /usr r,nosuid and / default. We Next we removed all suid bits except su. our next task was to take down un needed services, we decided to take remove uneeded services from the boot process arther than kill them incase we needed to reboot later. We only needed 3 so we left ssh, dl-monitor, and sunrps open. In addition asdf coded a fake wuftpd as an additional daemon. Since apache was unused we gave the user a uid of 0 and gave it a boot shell of /var/apache-nm (copy of bash.) This was the only backdoor we installed since the gateway was not up, the only port we could access from the outside was 22, so if we got rooted we could always login as apache (hopefully the attacker wasnt very observant.) We planned on more backdooring and securing but for some reason i thought it would be a good idea the 'chattr +i /etc', which would have been ok but i rebooted. Anyway, the system booted but didnt start ssh. After about 72 hours of not being able to access our system I got in touch with EPiC, he uploaded chatr to the system, 'chattr -i /etc' and started ssh (because the system was unable to write to /etc, it booted in safe mode, which by default didnt mount any partitions). We got in, but we decided since the system booted fine before we 'chattr +i /etc' it would boot fine not that it was undone, we rebooted and the same thing happened. EPiC told me he would just start ssh, which was what he did before, but about 35 hours later we find out we are disqualified. Remarks: It was a fun game, i hope to get to play again soon. Oh yeah, a day before i found out we were disqualified, Hades(or so im told by someone who had a box up) had hijacked our ip, we noticed the fingerprint was different for ssh so we filled with it with fake passwords, just in case our system came back online. I learned alot, fun games, wish i would have atleast gotten to finish securing it (We still had some great tricks up our sleeve =).