Team Zion's Whitepaper

roothack.org

by Team ZioN

Team ZioN's Whitepaper -- (a_d, phased, trinix, cjk, deltrex, redby)

We all came together as a group at short notice and had not previously worked with eachother on anything before, so we were in a bit of a rush and had no ideas untillthe grace period was already upon us.

We started by removing all files that were not needed to be suid root, and patching the system for known bugs. We did not go as far as a kernel recompile as we were in a rush to get other ideas sorted out, so simple patches seem to be effective enough. We made md5 hashesof key binaries which we checked periodically throught the open season incase of us being owned without our knowing and the binaries modified.

Phased coded a quick program to open up fake services on a port, which then changed the to run on a random port after each tcp connection, this was in order to confuse the other teams. We closed down all services and set about adding new secure services to add points

We also modified our sshd. We did this by having the sshd only allow clients to connect that sent a certain string first. I wont go into detail on this, as it can buy us alot of time on our next round of rootwars. Also we had the sshd change the port it ran on after each connection, once again we'll be using this next time so no more info ;]

As for the attack side of things we basically setup some sniffers, of which we managed to sniff epics irc session to #ironclad, which was the channel parallax used to discuss their tactics etc, this coulda have been very helpful if we werent locked out so soon. a_d was also given an apparent ssh '0day' which he kept to himself, this later became the method that team parallax used to own us.

The whole rootwars became a shambles for our team, with people disagreeing to others methods. The grace-period was over and we still hadnt compiled the modified sshd. So we were using an apparent vuln sshd during the open-season whilst the custom was compiling, which a_d fucked up so none of our passwords were working on the custom sshd. We mv'd /bin/su to /sbin/traceroute just as another method of security. However a_d chmod'd /sbin/ with the leet script that he used for finding suids, so that normal users can not read /sbin, once again a_d not communicating with the rest of his team. Lucky for us there was one person with a root shell that was able to change the permissions back quickly Cjk installed a ping back ICMP shell but he lost the byte size for it so we were not able to recover our box once we had got owned. We apparently got owned because a_d recieved this apparent sshd 0day from a member of parallax, which he ran as root from our box.. which ended up to be a trojan horse...

A total shambles for our team, but fun none the less...

Team ZioN