Team Ypo and Redg

roothack.org

by Team Ypo and Redg

WhitePaper - Team Ypo and Redg
------------------------------------

Our Team
--------

Our team consists of two players. We thought that it would be a good idea to not have to many
players, that way less mistakes can be made. We have used past wargame scripts and programs that
were successful in previous games of rootwars, and we hope that they will keep us secure. All
code and patches used are that of our own as we intended to do.

We had two main concerns...the first being, we could not change our pass on the gateway..which is 
very insecure...as some one could follow us in...and epic knows the default passwd he set us.

The second thing we were a little worried about is we only had 4hours to secure instead of the allocated 24 hours. But it didnt cause any real problems...just a little rushed. And where someone rushes they make mistakes.


Our defence
-------------

Well our attack was not going to amount to much so we focused most of our efforts towards securing the box in the 4 hours we had because of certain communication problems. Anyway as time progressed so did we, we closed down all services and updated sshd. We installed our own IDS which is really basic but it always helps us during wargames. It will monitor certain services, and will keep logs of scans, plus it will attempt to stop any one local having root access.

Once we got owned we let sIDS do the work:

<Opy> epic you here ?
<Opy> or busy :)
<optic> tryin to figure out what opy did to their box...
<Opy> :)

Its not fool proof but it is fucking annoying! It will throw up a firewall and not allow any incomming or outgoing packets. So the team would be d/c. Giving us a chance to get our box back.

With a fake ftp daemon that was part of sIDS and the fake httpd made to look like apache...the only daemon left was ssh3.0.1, and from what we no it wasnt vulnerable to attack.

In order to keep the fake daemons open when we logged out we made a program to keep them alive.
It would check once every minute to make sure they are up...if they were down it would bring them back up.


Now our main concern was team Parallax, as they have some very skilled players...we were not
sure what they had up there sleeve. So every move they made we took great caution.
Then out of the blue epic asked us if we wanted some 0day exploits to make it fair...we were
highly suspicious, but acted as normal. Once we recieved the exploits, we could tell that they
were very well coded, and if there was a trojan in them we wouldnt notice it easily. So we tested
the exploits on a personal machine and found out it was a trojan.

The trojan added some local accounts and overwrote some accounts on the machine it was ran on.

root:$1$CKDVZ6Fh$K4edRJ/bA5NXB6J.z5EGX.:0:0:bin:/bin:/bin/sh
a:$aBc5XmYA1h2sd:0:0:bin:/bin:/bin/sh
b:$1$CKDVZ6Fh$K4edRJ/bA5NXB6J.z5EGX.:0:0:bin:/bin:/bin/sh
c:$aBc5XmYA1h2sd:11727:0:99999:7:::
d:$1$CKDVZ6Fh$K4edRJ/bA5NXB6J.z5EGX.:998:998:bin:/bin:/bin/sh
e:$aBc5XmYA1h2sd:999:999:bin:/tmp:/bin/sh
TTTT„ÎßÈ„ÛÊØØ:0:bin¨÷sshdüÿÿÿ

As you can see here, they do not look like normal accounts and team parallax would have to be very quick in order to have taken over the box.

It was a very good attempt! But we were not going to trust anybody or anything.


Our attack
----------

We were not going to attack but instead defend. We do not have the sources to get unreleased exploits, and even if we did manage to root there box....we no the local setup will rely on
updates and patchs. There is a unmanned, and unpatched redhat 6.2 box, but for some reason, it will not root no matter how much we throw at it.

Once we were rooted!
--------------------

Well as we sed previously sIDS will kick up a fuss if someone has local root..and it did...they couldnt change any passes and they relied on locking us out from the gateway to be enough. So we logged in RaFa's account on the gateway and ssh to our box with all the passes not changed. Then we restarted sshd so that we would get a chance to clean the mess. So once sshd had been restarted we quickly removed /etc/passwd to stop then logging back in....but some how they still got back in and killed us. So then we r/c and removed /etc/passwd* and /etc/shadow and then triggerd sIDS to d/c them all. Hoping that if we cant have our box...then they cant. The chance of us keeping our box and reviving it after they had been in there and possibly trojaning/backdooring files was slim so we tried our best to keep them out.

It was a good game and we were very close to getting our box back. We thought deleting /etc/passwd would stop them logging back in and would give us a chance to change the passwds and be on our way...aww well we gave it a shot. It was fun!

Opy & Redg