Kung Fu guru's - Oct 03, 2002

This is our paper from the previous weekends games.  We did not go into too much detail here as we believe we will be chosen to play again as reigning champions.  We dont want to give too many tricks of the trade away.
Kung Fu Guru's -  Rootwars whitepaper for roothack.org

Team Members: Teck7, epic, minion, and ocyrus

- Grace Period Begins.

Suids removed  from files that did not absolutely need it.  We left su and passwd.
Services and daemons not needed removed.
Every packaged we did not plan on using was removed.  We got the install down to less than 450 megs.
Passwords changed - This was enforced through out the games on a continous basis.
Kernel patched - We used 2.4.19 and some GrSec features.
Kernel upgraded
Libraries and os updated - All remaining packages were updated to latest stable package.
Software updated and installed
File system set up to preferences. - Including directory permissions, integrety scanner.
Opened apache - Latest version, Latest version SSL
Opened proftpd

Fake ssh daemon set up on port 22 that would log all incoming attempted passwds and usernames
Our plan was to spoof arp of other machines in the games after the grace peroid, and log there passwords as they tried to log into there box.

Real ssh daemon moved to 23.

Arp spoofing utiliies installed

Sniffer installed

Fragrouter installed.

- Open Season Begin

Nmap of all boxes, showed orion appeared extremely vulnerable, thrugdush appears down, erebus looks vulnerable, erinys appears secure

Banner grab of all boxes showed orion to again look vulnerable, erebus to appear vulnerable, thrugdush to appear dead, and erinys looked secure.

Attempted wuftpd exploit against orion, success, attempt to backdoor and change passwds.  End up fighting for it with other players, No one regains control.   /bin/login appeared to be corrupt or changed to permissions that would not allow remote entry.   Telnet or ssh to the box would come up with /bin/login: Permission Denied

Arp spoofing and storms took place,  no luck here.

Sniffer picked up qubit using the password l84werk@roothack in ftp sessions back to acheron.

Began writing trojand ssh client to attempt logging of passwords.  Idea to place in qubits path.

Because two boxes were out of the games, one trashed as we fought for it, and one trashed by the admin, we decided to open them both back up, and allow members of the chat room to play a king of the hill style game.

The game was to allow others to play and to bring more teams back into the games.

We gave the chat room an hour to fight for and secure the boxes down, before we allowed the existing game members to play.  After an hour had passed,  we announced the boxes were fair game to anyone in the wargames.

Nmap of both boxes and banner grab,  Vulnerable. Many services still open.

Teck 7 attacked thrugdush as EPiC attacked orion.

EPiC tried a wuftpd exploit again against orion, and succeded, from this point he made a hidden directory, and used wget to get a backdoor from acheron.  He never executed this file before his connection was killed, and acces to the ftp was killed.

While teck7 was trying to get into thrugdush using vulnerable services still open, EPiC checked the wargames / wargames account, to his surprise it was still open.  With local access it took a matter of seconds to modify a ptace exploit to match the systems needs, and obtain root.

At this point we immediatly removed the accounts on the box, killed all connections, and killed all processes that were not needed to secure the box.  We then began to build and secure us another box in the previously stated fashion.  The only differences here was the kernel patches, as we thought those may have hampered some attempts at arp spoofing.

As we secured this box,  and were watching the rest of the network, epic noticed  port 4000 open on orion. not knowing what it was he telnet'd to it.  When epic realized that it was a simple rootshell bound to a port he executed the previously copied backdoor and told the rest of the team to sit back.

The back door that epic used installs a local tty sniffer. The idea was to let them play with the box a while, while we gaind info.  We then noticed that core and qubit from team zion appeared to be helping these guys
with the box as cores passwords to acheron were being captured.

We were able to get into the box through the backdoor, and no one on the box noticed us.  We were copying the ttysniffer logs, and trying to get some trojand binaries installed before they really got the box secure.

This went on about an hour or two before we thought we had enough information to go from recon to owning the box.  We took orion over in the same fashion we had just done thrugdush.  While doing this epic tried using the information he had gathered on core.  The passwords only worked locally on acheron, which was not what we had thought we had.   We thought we had his passowords to erinys.

We now have three boxes, and core and qubits  password to acheron

We have trojand ssh in cores and qubits path twice,  but they appear to notice it, as we are not collecting any passwords.

Attempted to hijack The IP of erebus upon code_poet asking for a reboot in open chat room.  We planned to have our ssh trojan log his passwords if he did not pay attention to the key change.  This faild, and while we waited for a lucky chance one of his team members didnt notice, code_poet found our boxes name (Hades) in the FTP banner.  You can bet that wont happen again.

While in IRC we noticed Team zion bragging about how they locked down their server to a point where even root access would not do any good.   During all of this boasting, core dropped the root passwd.  He did not know that remote root logins was enabled in SSH, in fact he thought his team disabled that.  EPiC logged in and began to try to take the box over.   This was not going well as all of the restrictions made it damn near imposible to do anything.  before the next game we will be sure to have read up on the use of LCAP in the linux kernel.

With root access being so limited,  EPiC came up with a solution that would buy us some time..  We IPChaind Acheron so that all packets from that box to cores box were now to be denied,  We then set up a route through one of our other boxes that allowed us access.  With this in place,  Our team began to try to take the box apart and build it around cores security measures. During a kernel install and a reboot,  the box was killed.  It would not boot the new kernel, and we overwrote the old one as that was the only way we could get to a new kenel.

The games slowly died after this,   We began to open various services on our boxes, hoping to add some life to the games,  We had plans for code_poet and team dynamic,  but never got to carry them out before the games were closed and whitepapers asked for.

[H3C] Kung Fu Guru's