This is our whitepaper.
whitepaper for team parallax
slider, rs, optic, lockdown, epic.
written by slider.
We started with a SuSe 6.4 linux box. We chmod'd alot of the
suid programs, upgraded the packages, installed a current version of
sshd, cut out all services except sshd, we also upgraded the kernel to 2.2.20 and
chattr +i the /etc/passwd and /etc/shadow file.
We didnt begin sniffing until the grace period was over, but as soon as it was over
we installed ettercap began sniffing using automated arp spoofing attacks provided
by ettercap. We managed to get every other teams gateway account not long after
we started sniffing via uses of ftp. epic convinced a_d that he had a very good
"0day" exploit, and it must be run as root because
it used raw sockets. rs coded this "exploit" and it was sent to a_d who ran it as root.
the exploit replaced /etc/passwd with backdoor accounts. rs timed out of irc right
as a_d ran it, and none of us could remember the logins rs used in the exploit, so i
tested it out on a test debian box i had and soon discovered the backdoor accounts.
All of a_d's team had logged off and couldnt log back on, so as soon as we were logged in
we killed a few backdoors we found. I found traces of an lkm backdoor (probably adore) but
it didnt seem to be doing his team any good.
Using ypo's team gateway passwords, we exported a different $PATH for him in his
.bash_profile, and used a password logging ssh client rs hacked up. Soon after we had opy's
and the root password. We connected and ran rs's "exploit" for a quick takeover. opy had installed
sIDS which was being a pain by killing and firewalling us after use of certain commands
(a possibly time limits). I discovered a bs module being loaded in rc.local and optic
rmmod'd that and i took the line out of rc.local. sIDS was still giving us trouble until i moved
ipchains. opy's team was making a try at getting their box back via backdoors, so i killed their
gateway shells by adding "kill -9 $$" to their .bash_profile (which could have easily been overwritten
with an scp to the gateway). Somehow opy started using other teams accounts on the gateway so i ended
up killing everyones shell on the gateway except ours (and non-team users).
Eventually opy gave up and because RaFa and team never showed the game was over.