Whitepaper submitted by team parallax. Storm Linux, Slackware, RH 6.0
This is taken from http://lockeddown.net/wargames/defense.txt
Thanks
Defensive Write up.
Writeup of the defense by team paralax(cryptix, josh, jp, slider, lockdown)
Defense is where we figured we would be strong and planned on putting
most of our efforts. We did the usual -s'ng of suid's we didn't need.
We made a trusted group so only we could use certain suid's. We took the
unneccessary daemons. Replaced apache with thttpd. Downgraded ssh to
version 1 because vandals team claimed to have a ssh 2 exploit that later
turned out to be a trojan. Our ssh1 session should have been sniffable
with dsniff although i've never tried but we should have had been warned
if that happened. I found that the ssh1 advisory included a patch and was
gonna upgrade to the last ssh1 and apply it later. We had upgraded the
kernel to 2.2.19 and were working on upgrading glibc which is a pain in
the ass. We switched to nklogd. We ran a decoy daemon (decoy.c) I made
which was suppose to look like a backdoor and look like it was vulnerable
to an overflow. No one messed around with it though, even if it was
vulnerable you have about no chance of producing an exploit since they
didn't have copys of the source or binary. We ran the latest version of
proftpd but changed the version string to show that of a prior version
that had a known exploit. We hadn't allowed anonymous logins yet, we were
planning on it later. Either way they fell for that and were trying to
use stfu.c to exploit us. I think that is about all, we had more stuff
planned but this didn't last as long as we thought it would.
Offensive Write up http://lockeddown.net/wargames/offense.txt
Writeup of the offensive by team Parallax (cryptix, pj, josh, slider, lockdown)
We are a team of "whitehat" hackers, none of us have hacked illegally,
only participated in wargames in the past. We dont really have any 0day
links and none of us were working on any current holes at the time of the
wargame. We figured we would play a defensive game and hold our ground for
the most part. Knowing no one would run daemons with known
vulnerabilities and not having time to audit already heavily audit'd
programs we decided to take a different approach. Epic had created an
account on our box so we made the assumption that he had an account on all
the wargames. Slider came up with the idea of trying to crack epics passwd
on our box with john. It didnt crack with any wordfiles so we went to work
on backdooring our sshd to log all passwds on login and slider went off
and tried to guess epics passwd on vandals box. Before I even had a chance
to compile my mods slider had already rooted vandals box. Slider guessed
epics password an used a public exploit to exploit xlock via format string
and took root on vandals box. Then we al jumped over to that box and tried
to lock it down and lock them out. Vandals team was only running telnetd.
a_d's team happened to be sniffing and noticed epics password go across
the wire and before we knew it they were on and trying to take over. We
had one person dedicated to killing the intruders while we worked on
getting ssh installed. We couldnt changed the passwords because they would
be sniffed so we encrypted passwords on our personal box's and copied them
to /etc/shadow. That was if we got disconnected we could get back in and
would have to change the password really fast.
Then it was looking like a stalemate between a_d's team and ourselves. I
was talking with pir8 on irc and he mentioned that his ssh password was in
their sniffer logs. I told him his must be telneting to the gateway and
ssh'ing to his box and he was like yeah but I use different passwords for
each box and at that point I wisely shutup. We setup a sniffer and started
watching, we got pir8's pass and the root pass and kept watching. After
login he ran ./c and when he did w no one showed up, we knew logs were
being cleaned. In ps we saw a perl script running so we made sure we
killed that when we got in. We waited for activity to die down and then we
made the hit on their server, and swiftly overtook it. Not exactly the
most exciting hacks but it was about the only chance we had offensively so
we siezed it.