Third Eye Open

roothack.org

by Third Eye Open

**** Roothack.org Addition ****

root@cerberus:/home/epic/wargames/grace# cat erebus.txt

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on erebuss.roothack.org (192.168.200.4):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
20/tcp open ftp-data

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

[epic@erebus epic]$ ps axu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 1432 64 ? S Jan02 0:03 init [5] 
root 2 0.0 0.0 0 0 ? SW Jan02 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SWN Jan02 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? SW Jan02 0:13 [kswapd]
root 5 0.0 0.0 0 0 ? SW Jan02 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW Jan02 0:01 [kupdated]
root 9 0.0 0.0 0 0 ? SW Jan02 0:00 [khubd]
root 801 0.0 0.6 1500 184 ? S Jan02 0:00 syslogd -m 0
root 809 0.0 0.1 2160 36 ? S Jan02 0:00 klogd -2
root 882 0.0 0.1 1392 36 tty1 S Jan02 0:00 /sbin/mingetty tty1
root 883 0.0 0.1 1392 36 tty2 S Jan02 0:00 /sbin/mingetty tty2
root 884 0.0 0.1 1392 36 tty3 S Jan02 0:00 /sbin/mingetty tty3
root 885 0.0 0.1 1392 36 tty4 S Jan02 0:00 /sbin/mingetty tty4
root 886 0.0 0.1 1392 36 tty5 S Jan02 0:00 /sbin/mingetty tty5
root 887 0.0 0.1 1392 36 tty6 S Jan02 0:00 /sbin/mingetty tty6
root 11967 0.0 1.5 2960 444 ? S 01:50 0:00 ./sshd2 -p 20
root 16875 0.1 1.0 3092 312 ? S 13:26 0:11 ./sshd2 -p 20
mercy 16877 0.0 0.0 2400 0 pts/0 SW 13:26 0:00 -bash
root 16905 0.0 0.0 2180 8 pts/0 S 13:26 0:00 su root
root 16906 0.0 2.7 2456 816 pts/0 S 13:27 0:01 bash
root 20656 0.0 1.0 3092 300 ? S 14:19 0:03 ./sshd2 -p 20
mercy 20674 0.0 2.7 2408 804 pts/1 S 14:19 0:00 -bash
root 7793 2.0 5.5 3092 1620 ? S 15:14 0:00 ./sshd2 -p 20
epic 7795 2.1 4.7 2408 1380 pts/2 S 15:15 0:00 -bash
epic 7820 0.0 2.4 2640 716 pts/2 R 15:15 0:00 ps axu
[epic@erebus epic]$

[epic@erebus epic]$ /usr/sbin/lsof |grep LISTEN
[epic@erebus epic]$


[epic@erebus epic]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
postgres:x:40:41:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ftp:x:14:50:FTP User:/var/ftp:
squid:x:23:23::/var/spool/squid:/dev/null
gdm:x:42:42:GDM User:/var/lib/gdm:
htdig:x:51:51:HTDIG User:/var/lib/htdig:
dhcpd:x:19:19:Dhcpd User:/var/dhcpd:
named:x:25:25:Bind User:/var/named:
nscd:x:28:28:NSCD Daemon:/:/bin/false
rpm:x:37:37:RPM User:/var/lib/rpm:/bin/false
apache:x:48:48:Apache User:/var/www:
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
sympa:x:89:89:Sympa Mailing list manager:/var/lib/sympa:/bin/bash
ldap:x:93:93:OpenLDAP server:/var/lib/ldap:/bin/false
nobody:x:99:99:Nobody:/:
alias:x:400:401:qmail alias user:/var/qmail/alias:/bin/true
qmaild:x:401:401:qmaild user:/var/qmail:/bin/true
qmaill:x:402:401:qmaill user:/var/qmail:/bin/true
qmailp:x:403:401:qmailp user:/var/qmail:/bin/true
qmailq:x:404:400:qmailq user:/var/qmail:/bin/true
qmailr:x:405:400:qmailr user:/var/qmail:/bin/true
qmails:x:406:400:qmails user:/var/qmail:/bin/true
dnscache:x:410:405:dnscache user:/var/djbdns:/bin/true
dnslog:x:411:405:dnslog user:/var/djbdns:/bin/true
tinydns:x:412:405:tinydns user:/var/djbdns:/bin/true
axfrdns:x:413:405:axfrdns user:/var/djbdns:/bin/true
xfs:x:414:414:X Font Server:/etc/X11/fs:/bin/false
mysql:x:415:415:MySQL server:/var/lib/mysql:/bin/bash
postfix:x:416:416:postfix:/var/spool/postfix:
epic:x:501:501:EPIC:/home/epic:/bin/bash
lattera:x:502:506::/home/lattera:/bin/bash
ph33r:x:503:507::/home/ph33r:/bin/bash
ocyrus:x:504:508::/home/ocyrus:/bin/bash
mercy:x:505:509::/home/mercy:/bin/bash
hypnosses:x:506:510::/home/hypnosses:/bin/bash
anarchist:x:507:511::/home/anarchist:/bin/bash
[epic@erebus epic]$


[epic@erebus epic]$ cat /etc/*release
Mandrake Linux release 8.1 (Vitamin) for i586
Mandrake Linux release 8.1 (Vitamin) for i586
[epic@erebus epic]$

[epic@erebus suids]$ cat suid
-rws--x--x 1 root root 2005248 Jan 3 00:53 /usr/local/ssh2/bin/ssh-signer2
-rwsr-xr-x 1 root root 18172 Sep 14 2001 /bin/su
[epic@erebus suids]$

[epic@erebus suids]$ cat worldw
drwxrwxrwt 2 root root 40 Jun 12 2003 /dev/shm
drwxrwxrwt 4 root root 4096 Jan 3 15:25 /tmp
drwxrwxrwt 2 xfs xfs 4096 Jun 12 2003 /tmp/.font-unix
drwxrwxrwt 2 root root 4096 Jun 12 2003 /tmp/.X11-unix
drwxrwxrwt 2 root root 4096 Jan 3 06:41 /var/tmp
drwxrwxrwt 2 root root 4096 Sep 10 2001 /var/spool/samba
d-wx-wx-wt 2 apache apache 4096 Jun 12 2003 /var/apache-mm
-rw-rw-rw- 1 root root 292351 Sep 13 2001 /usr/share/AbiSuite/icons/abiword_logo.xpm
-rw-rw-rw- 1 root root 3949 Sep 13 2001 /usr/share/AbiSuite/icons/abiword_48.png
-rw-rw-rw- 1 root root 3339 Sep 13 2001 /usr/share/AbiSuite/icons/abiword_48.tif
-rw-rw-rw- 1 root root 14298 Sep 13 2001 /usr/share/AbiSuite/icons/abiword_48.xpm
lrwxrwxrwx 1 root root 10 May 28 2003 /usr/tmp -> ../var/tmp
[epic@erebus suids]$


**** End Roothack.org Addition ****


[ Third Eye Open ]

I was contacted 12 hours before roothack was meant to begin by lattera asking if I would
like to join his team, I figured I may aswell - I had only played the game once before which
was sometime in 2002.
I dont think our team had any sort of game plan or structure for the wargames, and I 
dont think I was totally prepared for it
I logged on about an hour or two after grace period had begun and found that my team
members were: Lattera, ph33r, ocyrus, hypnosses, and anarchist. 
Our default box was Linux Mandrake 8.1 with kernel 2.4.18, I wasnt directly involved with 
upgrading our system in the beginning, so lattera updated our kernel (ran into a small
bit of trouble but it all sorted itself out) to 2.4.23, and ph33r upgraded sshd1 to sshd2.
Lattera had written a honeypot and tried to get it up and running on erebus as fake services,
though he ran into a bit of trouble and as it came closer to open season I loaded up a fake
services script written in perl by ilja (netric.org). 
During the night when most had gone to sleep, I patched the kernel against ptrace, installed
and updated librarys with libpcap/libnet etc. etc., and Installed a few sniffers - though
only got ettercap to be fully functional by the time the game had kicked off.
On the gateway server anarchist and I chmodd 770 our home dirs, removed world writeable
directorys and setup user accounts/backdoors.
We decided to have the upper hand before open season kicked off, we should start 
social engineering the other teams. It didnt go too well opposed to last time (I managed to gain
root to several machines through SEing), but we did find out excellent information
about OS types and kernel/service versions before open season which assisted us in gathering
exploits. 
One annoyance through the entire games was having to scp all our files to erebus from the
gateway, though I will overcome this if I partake in a later game through using DSR-tunnel.
Epic contacted us shortly before open season kicked off and warned that we should at least
give other teams a chance by writing proper services or loading something commercial, so I
decided to write my own service to be loaded on that night.
Before open season kicked off I setup small firewall rulesets and locked down the arp tables
to make sure arp spoofing would not be that big a concern to us.

When open season started I began profiling the other systems, running full port scans and
OS detection from nmap <- our favourite network scanner ;)
After I logged these profiles to different files, I checked out the services and found a few
ftps to be open, noteably orions services which consisted of ftp/telnet and a few others.
I ran ettercap to start sniffing on erinys which also had telnetd running, and I grabbed
the banner of orions ftpd which just so happens to be wu-ftpd 6.0 - having an exploit already
on my system for this I compiled and ran it to be provided with a rootshell on orion.
I decided it would not be fair to lockdown orion and work on the other machines so soon in the
game so I simply left a message in /etc/motd and exited their box.
So that was the first box owned by TEO within the first 12 minutes of the game, I then decided
to checkout my sniffer logs for erinys which provided me with a few passwords, though I was
disconnected and left for work.
When I returned that night I found that orion was down after a kernel upgrade went wrong, and
erinys seemed to be down or not responding to my requests to I just left it at that, I kept
profiling the other two boxes namely thrugdush after ref0rm had boasted about it being so secure.
Darawk pointed out that he was running a vulnerable imapd, and I noticed something wierd 
over his telnetd sessions, the users/passwords tried a few times were the same for other login
information of his, though I did not think anything more if it at the time.
I wrote an imapd exploit for thrugdush though left before I compiled it, and when I returned
the next morning and checked my logs I found a few passwords from ftp sessions to thrugdush.
When I joined #teo to report the passwords, it turns out that the password was cracked earlier
by darawk, and we started to backdoor their system.
Passwd and shadow files were replaced, and we worked on gaining a remote shell - we did this
by replacing inetd.conf with /bin/sh for imapd, and we reloaded imapd by trojaning the ls command
to do killall -HUP inetd, once this was done we replaced ls and continued to do our work over
the sh shell opened on port 143.
Once again the thrugdush box went down due to a failed kernel compile (I think), and that
only left hades - the last box standing.
We did another full port scan of their machine and port 52333 was holding sshd1, after grabbing
the banner it was shown to be vulnerable, though the x2/x4 exploits did not work.
I started to setup dsniff again (did not compile during grace) to grab the passwords from their
login, though a short while after it was reported that s0kket had gained access to their box
by logging into ircd as one of their members and pretending that the box had been rooted.
He managed to get the his password changed after he sent a base64 encrypted password, and
he logged in and rooted it with a simple ptrace exploit.
That was all of the boxes owned, all 3 by s0kket who had not been a part of any team, 2 of
which had been done by TEO.

The game proved to be lots of fun, I have never done anything related to administering a linux
box before so I learnt a lot from grace period, and it was a bit of fun watching the network
traffic and senseless exploits people were running. The next game will prove to be interesting
with a lot of sensible people entering, and my final thoughts on the game is summed up by andrewg
on ircd the first night: 6ps - proper planning prevents piss poor performance.

[mercy]