Third Eye Open - 01-05-04

Third Eye Open - Mandrake 8.1 - Default Install
****  Roothack.org Addition ****

root@cerberus:/home/epic/wargames/grace# cat erebus.txt

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on erebuss.roothack.org (192.168.200.4):
(The 1600 ports scanned but not shown below are in state: closed)
Port       State       Service
20/tcp     open        ftp-data

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second



[epic@erebus epic]$ ps axu
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.2  1432   64 ?        S    Jan02   0:03 init [5]
root         2  0.0  0.0     0    0 ?        SW   Jan02   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SWN  Jan02   0:00 [ksoftirqd_CPU0]
root         4  0.0  0.0     0    0 ?        SW   Jan02   0:13 [kswapd]
root         5  0.0  0.0     0    0 ?        SW   Jan02   0:00 [bdflush]
root         6  0.0  0.0     0    0 ?        SW   Jan02   0:01 [kupdated]
root         9  0.0  0.0     0    0 ?        SW   Jan02   0:00 [khubd]
root       801  0.0  0.6  1500  184 ?        S    Jan02   0:00 syslogd -m 0
root       809  0.0  0.1  2160   36 ?        S    Jan02   0:00 klogd -2
root       882  0.0  0.1  1392   36 tty1     S    Jan02   0:00 /sbin/mingetty tty1
root       883  0.0  0.1  1392   36 tty2     S    Jan02   0:00 /sbin/mingetty tty2
root       884  0.0  0.1  1392   36 tty3     S    Jan02   0:00 /sbin/mingetty tty3
root       885  0.0  0.1  1392   36 tty4     S    Jan02   0:00 /sbin/mingetty tty4
root       886  0.0  0.1  1392   36 tty5     S    Jan02   0:00 /sbin/mingetty tty5
root       887  0.0  0.1  1392   36 tty6     S    Jan02   0:00 /sbin/mingetty tty6
root     11967  0.0  1.5  2960  444 ?        S    01:50   0:00 ./sshd2 -p 20
root     16875  0.1  1.0  3092  312 ?        S    13:26   0:11 ./sshd2 -p 20
mercy    16877  0.0  0.0  2400    0 pts/0    SW   13:26   0:00 -bash
root     16905  0.0  0.0  2180    8 pts/0    S    13:26   0:00 su root
root     16906  0.0  2.7  2456  816 pts/0    S    13:27   0:01 bash
root     20656  0.0  1.0  3092  300 ?        S    14:19   0:03 ./sshd2 -p 20
mercy    20674  0.0  2.7  2408  804 pts/1    S    14:19   0:00 -bash
root      7793  2.0  5.5  3092 1620 ?        S    15:14   0:00 ./sshd2 -p 20
epic      7795  2.1  4.7  2408 1380 pts/2    S    15:15   0:00 -bash
epic      7820  0.0  2.4  2640  716 pts/2    R    15:15   0:00 ps axu
[epic@erebus epic]$

[epic@erebus epic]$ /usr/sbin/lsof |grep LISTEN
[epic@erebus epic]$


[epic@erebus epic]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
postgres:x:40:41:PostgreSQL Server:/var/lib/pgsql:/bin/bash
ftp:x:14:50:FTP User:/var/ftp:
squid:x:23:23::/var/spool/squid:/dev/null
gdm:x:42:42:GDM User:/var/lib/gdm:
htdig:x:51:51:HTDIG User:/var/lib/htdig:
dhcpd:x:19:19:Dhcpd User:/var/dhcpd:
named:x:25:25:Bind User:/var/named:
nscd:x:28:28:NSCD Daemon:/:/bin/false
rpm:x:37:37:RPM User:/var/lib/rpm:/bin/false
apache:x:48:48:Apache User:/var/www:
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
sympa:x:89:89:Sympa Mailing list manager:/var/lib/sympa:/bin/bash
ldap:x:93:93:OpenLDAP server:/var/lib/ldap:/bin/false
nobody:x:99:99:Nobody:/:
alias:x:400:401:qmail alias user:/var/qmail/alias:/bin/true
qmaild:x:401:401:qmaild user:/var/qmail:/bin/true
qmaill:x:402:401:qmaill user:/var/qmail:/bin/true
qmailp:x:403:401:qmailp user:/var/qmail:/bin/true
qmailq:x:404:400:qmailq user:/var/qmail:/bin/true
qmailr:x:405:400:qmailr user:/var/qmail:/bin/true
qmails:x:406:400:qmails user:/var/qmail:/bin/true
dnscache:x:410:405:dnscache user:/var/djbdns:/bin/true
dnslog:x:411:405:dnslog user:/var/djbdns:/bin/true
tinydns:x:412:405:tinydns user:/var/djbdns:/bin/true
axfrdns:x:413:405:axfrdns user:/var/djbdns:/bin/true
xfs:x:414:414:X Font Server:/etc/X11/fs:/bin/false
mysql:x:415:415:MySQL server:/var/lib/mysql:/bin/bash
postfix:x:416:416:postfix:/var/spool/postfix:
epic:x:501:501:EPIC:/home/epic:/bin/bash
lattera:x:502:506::/home/lattera:/bin/bash
ph33r:x:503:507::/home/ph33r:/bin/bash
ocyrus:x:504:508::/home/ocyrus:/bin/bash
mercy:x:505:509::/home/mercy:/bin/bash
hypnosses:x:506:510::/home/hypnosses:/bin/bash
anarchist:x:507:511::/home/anarchist:/bin/bash
[epic@erebus epic]$


[epic@erebus epic]$ cat /etc/*release
Mandrake Linux release 8.1 (Vitamin) for i586
Mandrake Linux release 8.1 (Vitamin) for i586
[epic@erebus epic]$

[epic@erebus suids]$ cat suid
-rws--x--x    1 root     root      2005248 Jan  3 00:53 /usr/local/ssh2/bin/ssh-signer2
-rwsr-xr-x    1 root     root        18172 Sep 14  2001 /bin/su
[epic@erebus suids]$

[epic@erebus suids]$ cat worldw
drwxrwxrwt    2 root     root           40 Jun 12  2003 /dev/shm
drwxrwxrwt    4 root     root         4096 Jan  3 15:25 /tmp
drwxrwxrwt    2 xfs      xfs          4096 Jun 12  2003 /tmp/.font-unix
drwxrwxrwt    2 root     root         4096 Jun 12  2003 /tmp/.X11-unix
drwxrwxrwt    2 root     root         4096 Jan  3 06:41 /var/tmp
drwxrwxrwt    2 root     root         4096 Sep 10  2001 /var/spool/samba
d-wx-wx-wt    2 apache   apache       4096 Jun 12  2003 /var/apache-mm
-rw-rw-rw-    1 root     root       292351 Sep 13  2001 /usr/share/AbiSuite/icons/abiword_logo.xpm
-rw-rw-rw-    1 root     root         3949 Sep 13  2001 /usr/share/AbiSuite/icons/abiword_48.png
-rw-rw-rw-    1 root     root         3339 Sep 13  2001 /usr/share/AbiSuite/icons/abiword_48.tif
-rw-rw-rw-    1 root     root        14298 Sep 13  2001 /usr/share/AbiSuite/icons/abiword_48.xpm
lrwxrwxrwx    1 root     root           10 May 28  2003 /usr/tmp -> ../var/tmp
[epic@erebus suids]$


**** End Roothack.org Addition  ****


[ Third Eye Open ]

I was contacted 12 hours before roothack was meant to begin by lattera asking if I would
like to join his team, I figured I may aswell - I had only played the game once before which
was sometime in 2002.
I dont think our team had any sort of game plan or structure for the wargames, and I
dont think I was totally prepared for it
I logged on about an hour or two after grace period had begun and found that my team
members were: Lattera, ph33r, ocyrus, hypnosses, and anarchist.
Our default box was Linux Mandrake 8.1 with kernel 2.4.18, I wasnt directly involved with
upgrading our system in the beginning, so lattera updated our kernel (ran into a small
bit of trouble but it all sorted itself out) to 2.4.23, and ph33r upgraded sshd1 to sshd2.
Lattera had written a honeypot and tried to get it up and running on erebus as fake services,
though he ran into a bit of trouble and as it came closer to open season I loaded up a fake
services script written in perl by ilja (netric.org).
During the night when most had gone to sleep, I patched the kernel against ptrace, installed
and updated librarys with libpcap/libnet etc. etc., and Installed a few sniffers - though
only got ettercap to be fully functional by the time the game had kicked off.
On the gateway server anarchist and I chmodd 770 our home dirs, removed world writeable
directorys and setup user accounts/backdoors.
We decided to have the upper hand before open season kicked off, we should start
social engineering the other teams. It didnt go too well opposed to last time (I managed to gain
root to several machines through SEing), but we did find out excellent information
about OS types and kernel/service versions before open season which assisted us in gathering
exploits.
One annoyance through the entire games was having to scp all our files to erebus from the
gateway, though I will overcome this if I partake in a later game through using DSR-tunnel.
Epic contacted us shortly before open season kicked off and warned that we should at least
give other teams a chance by writing proper services or loading something commercial, so I
decided to write my own service to be loaded on that night.
Before open season kicked off I setup small firewall rulesets and locked down the arp tables
to make sure arp spoofing would not be that big a concern to us.

When open season started I began profiling the other systems, running full port scans and
OS detection from nmap <- our favourite network scanner ;)
After I logged these profiles to different files, I checked out the services and found a few
ftps to be open, noteably orions services which consisted of ftp/telnet and a few others.
I ran ettercap to start sniffing on erinys which also had telnetd running, and I grabbed
the banner of orions ftpd which just so happens to be wu-ftpd 6.0 - having an exploit already
on my system for this I compiled and ran it to be provided with a rootshell on orion.
I decided it would not be fair to lockdown orion and work on the other machines so soon in the
game so I simply left a message in /etc/motd and exited their box.
So that was the first box owned by TEO within the first 12 minutes of the game, I then decided
to checkout my sniffer logs for erinys which provided me with a few passwords, though I was
disconnected and left for work.
When I returned that night I found that orion was down after a kernel upgrade went wrong, and
erinys seemed to be down or not responding to my requests to I just left it at that, I kept
profiling the other two boxes namely thrugdush after ref0rm had boasted about it being so secure.
Darawk pointed out that he was running a vulnerable imapd, and I noticed something wierd
over his telnetd sessions, the users/passwords tried a few times were the same for other login
information of his, though I did not think anything more if it at the time.
I wrote an imapd exploit for thrugdush though left before I compiled it, and when I returned
the next morning and checked my logs I found a few passwords from ftp sessions to thrugdush.
When I joined #teo to report the passwords, it turns out that the password was cracked earlier
by darawk, and we started to backdoor their system.
Passwd and shadow files were replaced, and we worked on gaining a remote shell - we did this
by replacing inetd.conf with /bin/sh for imapd, and we reloaded imapd by trojaning the ls command
to do killall -HUP inetd, once this was done we replaced ls and continued to do our work over
the sh shell opened on port 143.
Once again the thrugdush box went down due to a failed kernel compile (I think), and that
only left hades - the last box standing.
We did another full port scan of their machine and port 52333 was holding sshd1, after grabbing
the banner it was shown to be vulnerable, though the x2/x4 exploits did not work.
I started to setup dsniff again (did not compile during grace) to grab the passwords from their
login, though a short while after it was reported that s0kket had gained access to their box
by logging into ircd as one of their members and pretending that the box had been rooted.
He managed to get the his password changed after he sent a base64 encrypted password, and
he logged in and rooted it with a simple ptrace exploit.
That was all of the boxes owned, all 3 by s0kket who had not been a part of any team, 2 of
which had been done by TEO.

The game proved to be lots of fun, I have never done anything related to administering a linux
box before so I learnt a lot from grace period, and it was a bit of fun watching the network
traffic and senseless exploits people were running. The next game will prove to be interesting
with a lot of sensible people entering, and my final thoughts on the game is summed up by andrewg
on ircd the first night: 6ps - proper planning prevents piss poor performance.

[mercy]