Team c1sc0s whitepaper

roothack.org

by Team c1sc0s

Okay, here is the basic breakdown... We had Redhat 6.2,
this posed problems with my original script because it was
made
for a box with a newer kernel and iptables, it also came
with
outdated telnetd and wuftpd, we turned all that crap off
right away
because it was full of loopholes, then we updated to a
slightly
modified openssh, the modifications made by pro-logic were
small chunks
of ssl integration. we then started closing up security
holes, 6.2
defaults to 2.2.19, which was vulnerable to things as
simple as the
ptrace(), we grabbed 2.2.20, which at first posed issues
since redhat
was being a POS because of the canary death handler, which
although
seems to be apart of stackguard, we have no idea why the
error was there,
since there were no stack or buffer guards on the box. we
then prepared
our services for the box, we had ncftpd, since it is a very
secure ftpd.
this pretty much covers the grace period.

the first days of openseason were tbe busiest for everyone.
the beginning
was very fast paced as everyone was trying to connect to
misc. services
that were open. at this point erebus was putting up thttpd,
and hades had
output only services. i did a tad-bit of social engineering
on erebus
which came back to bite me in the ass.. i convinced them
that there was
at least one buffer overflow in thttpd, (since the latest
version was
air-tight), they then wrote their own that gave the same
page each time,
and closed the connection. (that sucked... bad). the
attacks on us were
minimal at first, just simple udp scanning and spamming,
eventually we
closed off udp cuz it was annoying as all crap when netstat
popped that
shit up. we tried several things, our biggest attacks were
reverse traps...
a telnetd that just ran a short little cat /dev/urandom and
that was that.
by the time 8 services were required we were really going
at it, going nuts
over everything, but then we noticed something useful!
hades was running
the fingerd. and it appeared to be from uid(0). so i
grabbed a script
that sent commands to run to the finger daemon, it worked
just to connect
hades to our fake telnet (urandom). at this point
euphrosyne was still
unavailable, so i modified his .bashrc and his
.bash_profile so they looped
the same cat, and ignored launch commands via ssh, it also
ignored sighup signals
no one obtained root, which was upsetting, but we kept
ours. we tried may things
we even had almost obtained a shell via hades, and erebus'
smtp servers.
it was very close but then shortly after erebus began
broadcast ping spamming
everything, and i was about ready to slap them in the head.

we had a guest account ready, it was just waiting for the
other teams to set one up
and other than that. we were pretty secure (several of our
services were /bin/false)

that was pretty much it.. i'd like to thank all the other
teams (except
erebus, who spammed me so i couldn't get to my own box) on
a good game.
i hope to play you all again some time