Masters Of Deception Whitepaper

roothack.org

by Masters Of Deception

**** Roothack.org Addition ****

root@cerberus:/home/epic/wargames/grace# cat orion.txt

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on orion.roothack.org (192.168.200.5):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp 
23/tcp open telnet 
25/tcp open smtp 
111/tcp open sunrpc 
515/tcp open printer 
587/tcp open submission 
691/tcp open resvc 
2049/tcp open nfs

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
epic@orion:~$ ps axu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 344 64 ? S Dec02 0:11 init [3]
root 2 0.0 0.0 0 0 ? SW Dec02 0:09 [kflushd]
root 3 0.0 0.0 0 0 ? SW Dec02 0:04 [kupdate]
root 4 0.0 0.0 0 0 ? SW Dec02 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW Dec02 0:12 [kswapd]
bin 74 0.0 0.2 1088 68 ? S Dec02 0:00 /sbin/rpc.portmap
root 78 0.0 0.6 1372 208 ? S Dec02 0:02 /usr/sbin/syslogd
root 81 0.0 0.5 1516 164 ? S Dec02 0:01 /usr/sbin/klogd -c 3
root 85 0.0 0.7 1404 212 ? S Dec02 0:00 /usr/sbin/lpd
root 87 0.0 0.2 1720 88 ? S Dec02 0:00 /usr/sbin/rpc.mountd
root 90 0.0 0.2 1736 88 ? S Dec02 0:00 /usr/sbin/rpc.nfsd
root 92 0.0 1.2 1180 364 ? S Dec02 0:00 /usr/sbin/crond -l10
daemon 94 0.0 0.2 1188 60 ? S Dec02 0:00 /usr/sbin/atd -b 15 -l 1
root 101 0.0 1.5 2316 472 ? S Dec02 0:01 sendmail: accepting connections
root 113 0.0 0.0 1104 0 ttyS0 SW Dec02 0:00 [gpm]
root 115 0.0 0.0 1056 24 tty1 S Dec02 0:00 /sbin/agetty 38400 tty1 linux
root 116 0.0 0.0 1056 0 tty2 SW Dec02 0:00 [agetty]
root 117 0.0 0.0 1056 0 tty3 SW Dec02 0:00 [agetty]
root 118 0.0 0.0 1056 0 tty4 SW Dec02 0:00 [agetty]
root 119 0.0 0.0 1056 0 tty5 SW Dec02 0:00 [agetty]
root 120 0.0 0.0 1056 0 tty6 SW Dec02 0:00 [agetty]
root 29492 0.0 0.4 1164 132 ? S Dec02 0:13 in.telnetd: cerebus.roothack.org 
phreaked 29493 0.0 0.0 1756 0 pts/1 SW Dec02 0:00 [bash]
root 29504 0.0 2.3 1776 692 pts/1 S Dec02 0:00 bash
root 5335 0.0 0.6 1356 208 ? S Dec02 0:00 inetd
root 2620 0.0 1.9 1164 568 ? S 11:36 0:03 in.telnetd: cerebus.roothack.org 
moth7 2621 0.0 3.4 1760 1028 pts/0 S 11:36 0:01 -bash
root 6265 0.2 1.8 1164 564 ? S 15:58 0:00 in.telnetd: cerebus.roothack.org 
epic 6266 0.6 3.4 1772 1036 pts/2 S 15:58 0:00 -bash
epic 6276 0.0 3.3 2636 988 pts/2 R 15:59 0:00 ps axu
epic@orion:~$

epic@orion:~$ uname -a
Linux orion 2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown
epic@orion:~$

epic@orion:~$ uname -a
Linux orion 2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown
epic@orion:~$ cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:1::/home/ftp:/bin/bash
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
nobody:x:99:99:nobody:/:
epic:x:1000:100:,,,:/home/epic:/bin/bash
vbfavre69:x:1001:100:,,,:/home/vbfavre69:/bin/bash
bigbowser:x:1002:100:,,,:/home/bigbowser:/bin/bash
phreaked:x:1003:100:,,,:/home/phreaked:/bin/bash
moth7:x:1004:100:,,,:/home/moth7:/bin/bash
arpop:x:1005:100:,,,:/home/arpop:/bin/bash
epic@orion:~$


epic@orion:~/suids$ cat suid
-rws--x--x 1 root bin 34280 Jun 19 2000 /usr/bin/at
-rws--x--x 1 root bin 10192 Jun 19 2000 /usr/bin/crontab
-rwsr-x--- 1 root floppy 16980 May 25 2000 /usr/bin/fdmount
-rws--x--x 1 root bin 3176 Apr 24 2000 /usr/bin/disable-paste
-r-s--s--x 1 root lp 14632 May 13 2000 /usr/bin/lpq
-r-s--s--x 1 root lp 15096 May 13 2000 /usr/bin/lpr
-r-s--s--x 1 root lp 15288 May 13 2000 /usr/bin/lprm
-rws--x--x 1 root bin 33760 Jun 18 2000 /usr/bin/chage
-rws--x--x 1 root bin 29572 Jun 18 2000 /usr/bin/chfn
-rws--x--x 1 root bin 27188 Jun 18 2000 /usr/bin/chsh
-rws--x--x 1 root bin 17584 Jun 18 2000 /usr/bin/expiry
-rws--x--x 1 root bin 34212 Jun 18 2000 /usr/bin/gpasswd
-rws--x--x 1 root bin 20368 Jun 18 2000 /usr/bin/newgrp
-rws--x--x 1 root bin 35620 Jun 18 2000 /usr/bin/passwd
---s--x--x 1 root root 77444 Jun 18 2000 /usr/bin/sudo
-rws--x--x 1 root bin 662512 Apr 27 2000 /usr/bin/suidperl5.6.0
-rwsr-sr-x 1 root mail 73812 Jun 9 2000 /usr/bin/procmail
-rwsr-xr-x 1 root bin 25081 Jun 19 2000 /usr/bin/rcp
-rwsr-xr-x 1 root bin 10516 Jun 19 2000 /usr/bin/rlogin
-r-sr-xr-x 1 root bin 7860 Jun 19 2000 /usr/bin/rsh
-r-sr-xr-x 1 root bin 10036 Jun 19 2000 /usr/bin/traceroute
-r-sr-xr-x 1 uucp bin 82928 Jun 21 2000 /usr/bin/uucp
-r-sr-xr-x 1 uucp bin 36260 Jun 21 2000 /usr/bin/uuname
-r-sr-xr-x 1 uucp bin 92116 Jun 21 2000 /usr/bin/uustat
-r-sr-xr-x 1 uucp bin 84828 Jun 21 2000 /usr/bin/uux
-rwsr-xr-x 1 root root 6196 Jun 7 2000 /usr/lib/mc/bin/cons.saver
-r-sr-xr-x 1 uucp uucp 65004 Jun 21 2000 /usr/lib/uucp/uuchk
-r-sr-xr-x 1 uucp uucp 208428 Jun 21 2000 /usr/lib/uucp/uucico
-r-sr-xr-x 1 uucp uucp 69920 Jun 21 2000 /usr/lib/uucp/uuconv
-r-sr-xr-x 1 uucp uucp 315 Nov 22 1995 /usr/lib/uucp/uusched
-r-sr-xr-x 1 uucp uucp 94540 Jun 21 2000 /usr/lib/uucp/uuxqt
-r-sr-x--- 1 uucp news 89984 Jun 14 2000 /usr/lib/news/bin/rnews
-r-sr-x--- 1 root news 43388 Jun 14 2000 /usr/lib/news/bin/inndstart
-r-sr-x--- 1 root news 40796 Jun 14 2000 /usr/lib/news/bin/startinnfeed
-rwsr-xr-x 1 root root 20208 Jun 7 2000 /usr/sbin/gnome-pty-helper
-r-sr-sr-x 1 root bin 350140 Jun 9 2000 /usr/sbin/sendmail
-rws--x--x 1 root bin 12144 Feb 27 2000 /usr/X11R6/bin/dga
-rws--x--x 1 root bin 159560 Feb 27 2000 /usr/X11R6/bin/xterm
-rws--x--x 1 root bin 4960 Feb 27 2000 /usr/X11R6/bin/Xwrapper
-rws--x--x 1 root bin 9524 Feb 27 2000 /usr/X11R6/bin/xload
-rws--x--x 1 root bin 78480 Feb 27 2000 /usr/X11R6/bin/rxvt
-rws--x--x 1 root bin 1676980 May 28 2000 /usr/X11R6/bin/xlock
-rwsr-xr-x 1 root root 5772 Nov 17 2003 /usr/libexec/pt_chown
-rws--x--x 1 root root 33852 Jun 18 2000 /bin/su
-rwsr-xr-x 1 root bin 60912 May 9 2000 /bin/mount
-rwsr-xr-x 1 root bin 28588 May 9 2000 /bin/umount
-r-sr-xr-x 1 root bin 14772 Jun 19 2000 /bin/ping
-rwsr-xr-x 1 root root 6064 Oct 3 1999 /opt/kde/bin/kcheckpass
-rwsr-xr-x 1 root root 5076 Oct 3 1999 /opt/kde/bin/konsole_grantpty
-rwsr-xr-x 1 root root 366172 Oct 3 1999 /opt/kde/bin/kppp
epic@orion:~/suids$

epic@orion:~/suids$ cat worldw
drwxrwxrwt 2 root root 4096 Nov 30 1993 /var/spool/tmp
drwxrwxrwt 2 root mail 4096 Nov 29 19:35 /var/spool/mail
drwxrwxrwt 2 root root 4096 Dec 3 15:19 /var/tmp
drwxrwxrwt 2 root root 4096 Dec 3 13:47 /var/man/cat1
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat2
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat3
drwxrwxrwt 2 root root 4096 Nov 27 1993 /var/man/cat4
drwxrwxrwt 2 root root 4096 Dec 2 21:04 /var/man/cat5
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat6
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat7
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat8
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/cat9
drwxrwxrwt 2 root root 4096 Nov 25 1993 /var/man/catn
lrwxrwxrwx 1 root root 10 Nov 29 19:35 /var/mail -> spool/mail
drwxrwxrwx 2 root root 4096 Nov 29 19:55 /var/named
drwxrwxrwt 5 root root 4096 Apr 25 2000 /var/cache/fonts
drwxrwxrwt 2 root root 4096 Apr 25 2000 /var/cache/fonts/pk
drwxrwxrwt 2 root root 4096 Apr 25 2000 /var/cache/fonts/source
drwxrwxrwt 2 root root 4096 Apr 25 2000 /var/cache/fonts/tfm
-rw-rw-rw- 1 root root 136 Apr 25 2000 /var/cache/fonts/ls-R
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat1 -> /var/man/cat1
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat2 -> /var/man/cat2
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat3 -> /var/man/cat3
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat4 -> /var/man/cat4
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat5 -> /var/man/cat5
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat6 -> /var/man/cat6
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat7 -> /var/man/cat7
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat8 -> /var/man/cat8
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/cat9 -> /var/man/cat9
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/man/catn -> /var/man/catn
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat1 -> /var/man/cat1
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat2 -> /var/man/cat2
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat3 -> /var/man/cat3
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat4 -> /var/man/cat4
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat5 -> /var/man/cat5
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat6 -> /var/man/cat6
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat7 -> /var/man/cat7
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat8 -> /var/man/cat8
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/cat9 -> /var/man/cat9
lrwxrwxrwx 1 root root 13 Nov 29 20:04 /usr/openwin/man/catn -> /var/man/catn
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat1 -> /var/man/cat1
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat2 -> /var/man/cat2
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat3 -> /var/man/cat3
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat4 -> /var/man/cat4
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat5 -> /var/man/cat5
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat6 -> /var/man/cat6
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat7 -> /var/man/cat7
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat8 -> /var/man/cat8
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/cat9 -> /var/man/cat9
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11R6/man/catn -> /var/man/catn
drwxrwxrwt 2 root root 4096 Nov 30 1993 /usr/spool/tmp
drwxrwxrwt 2 root mail 4096 Nov 29 19:35 /usr/spool/mail
lrwxrwxrwx 1 root root 8 Nov 29 19:35 /usr/tmp -> /var/tmp
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat1 -> /var/man/cat1
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat2 -> /var/man/cat2
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat3 -> /var/man/cat3
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat4 -> /var/man/cat4
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat5 -> /var/man/cat5
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat6 -> /var/man/cat6
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat7 -> /var/man/cat7
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat8 -> /var/man/cat8
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/cat9 -> /var/man/cat9
lrwxrwxrwx 1 root root 13 Nov 29 19:35 /usr/X11/man/catn -> /var/man/catn
drwxrwxrwt 3 root root 4096 Dec 3 14:53 /tmp
-rwxrwxrwx 1 root root 389 Jun 23 2003 /home/vbfavre69/install/doinst.sh
-rw-rw-rw- 1 root root 58 Nov 29 19:39 /etc/shells
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/rock
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/blues
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/classical
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/jazz
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/newage
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/soundtrack
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/reggae
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/folk
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/country
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/misc
drwxrwxrwt 2 root root 4096 Oct 11 1999 /opt/kde/share/apps/kscd/cddb/data
epic@orion:~/suids$


**** End Roothack.org Addition ****


Team/Roles:
BigBowser - Defense/Attack
Arpop - Defence
Phreaked - Attack
VBFAVRE69 - Attack
Moth7 - Defence

-Prologue-
Before the grace period began the team was full of ideas for what we 
were going to do. Jobs were assigned to each member based on ability and 
knowledge - Arpop was going to sort out iptables + an IDS, Moth + Bowser 
were in charge of removing the daemons ( which would later lose us the 
game :( ) and VB and Phreaked were going to install various packages but 
were focused mainly on attack. Things all looked fine and we were well 
organised - so we thought.
Just before the grace period began, Moth had to go and get some sleep 
due to time zone differences, but the rest of the team, bar Arpop, were 
online ready to go.

A couple of ideas we had:
*Replace everything in /bin with an executable which just logged you out 
=> Never happened
*Move real /bin to somewhere like /ussr/bin :p => Never happened
*Bind lots of ports to /dev/null with a stupid banner => Happened
*Route all packets from each local box back where they came from => 
Never happened

-Grace Period-
When the grace period began we immediately had problems. We found out 
our OS ok (Slackware 7.1) and started downloading the latest version of 
Glibc, Snort and the linux kernel. However, snort refused to install and 
ftp was just not happening. Bowser managed to take down some of the 
offending daemons but that evidently didnt help (since we got rooted 
through wuftpd). SSH2 also refused to compile despite having the latest 
versions of all required libraries installed. We did have some luck in 
that Bowser got the latest version of Bash installed - it wasnt however 
much use with no more than half our team online at any one point - in 
hindsight we spent too long bitching about what would turn out to be 
valid excuses for not being there.
Arpop finally turned up a couple of hours before grace period ended, 
found _he_ was able to use the ftp properly and set out to clear 
everything up - not surprisingly his computer continued to be a bitch 
and restarted, giving us no hope of him completing all the important 
jobs that he had assigned himself - mainly setting up iptables and the 
like. Moth modded nawoks shell binding program (on Roothack: 
http://roothack.org/framed.php?url=archives/tcpdoor.c ) to bind to 
/dev/null and pretend to be an XBOX ( Micro$oft xXx b0x v1337a to be 
precise ;) ). This worked initially but when scripted to bind to a huge 
amount of ports it decided it would like to imitate the XBOX in the 
truest of sense and not work properly. On top of that, the script had 
been run under root, so more time was wasted "$ kill"ing the daemons and 
relocating them to a less priveliged user.

The rest as they say is history - rooted in a historic 12 minutes :(

It wasnt for lack of ideas that we failed - more lack of effort. We 
tried up to a point but a combination of box faults - both on our end 
and orions - and team members arguing over why we werent all online 
caused us to give in. Apologies to anyone who was discredited by this 
and sorry for any details that I missed out but a) I was asleep half the 
time due to being on GMT and b) We arent going to get too many extra 
points for a whitepaper all about how we failed to compile things and 
got into fights anyway ;)

-Moth (MOD)