Monday, March 3, 2008

Capture the Flag: Towson and CCBC - Just for fun

Saturday, March 1st, from 9:30am to around 4:00pm (EST) both the Community College of Baltimore County and Towson University participated in a Capture the Flag event. Although a winner was announced the event was just for fun, and an attempt to gear students up for the upcoming Collegiate Cyber Defense Competition, and by upcoming, I mean next weekend. But more on the competition later...

The event was hosted by Towson, setup in complete by Dr. Michael O'Leary team-mates mixed amongst each others. This allowed for the entire events to be . The event was run much like a typical capture the flag, with each group attempting to both defend their own systems, while attacking the other group. The groups were derived from a "dodge-ball" style pick, leaving the CCBC and Towson teammates mixed amongst each other. Causing the entire event to be rather layed back, taking the secrecy and pressure off the majority of the students.

I was selected as one of the team-captains and was able to pick a rather good team. But overall I had rather little interaction with anyone on my team - this was done on purpose and part of a well thought-out strategy. I work on the offensive-side almost exclusively, only answering questions for the defensive counter-parts on my team. I was the only one running offense for our team. I'll do my best to describe the event after the jump, keep in mind though, I did little defensively.

The Setup: Each group had five or six students, and was allowed a "team name." Each group had an identical setup, excluding the system host names and the IP addresses. The systems included a mixture of Windows and Suse installations, with a varying degree of patch levels. In addition to the unknown "base-line" security, each system was pre-configured with a handful of holes.

The Injects: Much like the CCDC, this event would not be complete without "business injects." I have a feeling this type of caveat will be all to common in CTF events world-wide with time. Although I did no defense, I did over hear a few of the injects, seems they ranged from, Determine the IP address of every web server to setting up a fully functionally syslog server with every system logging.

The Scoring: Scoring was based on both offense and defense. A team who successfully found a security hole (one of the ones placed on the system at the start of the event) gained points. If they secured the same vulnerability, they scored. And (my part) if they exploited the vulnerability against the other team, they yet again scored. In addition, any exploitation resulted in some points, and becoming administrator/root, resulted in a higher point reward. As well as thwarting an intrusion, netted some points. One more score vector that I thought was a good add was something Dr Leary called "style." Anytime you did something "out-of-the-box," clever or just plain 1337, your team found its self a few points further.

The Recon: I approached the days event much like a blind pen-test. I truly only knew a few things walking-in-the-door, and only a few more things were explained before we started. At the beginning of the event I knew the following:
  • I had two "attack boxes" with BackTrack (version 2) installed
  • I was on the same addresses space as the other team (although that was all I knew)
  • The systems had Windows or Linux installed
  • No physically devices (printers, routers, etc) were involved
  • I couldn't attack core network resources (class equipments; servers, hosts, etc)
  • One of my team-mates had a "magically" piece of paper that contained all of our "system" hostnames, usernames, passwords, and OS.
But other then the above, I didn't know much. Not even the addresses of the other team. I never did look at the "team packet" during the event, which contained some information about our setup. So right off of the bat, the first thing I did was scanned the entire class B subnet we were on. Knowing both teams resided within the same addresses space I needed to differentiate between our systems verses the other team. I asked my group to get the addresses of all of our systems.

The Attacks ( Within the first ten minuets of the events I had already obtained administrative access to two systems, and had setup some ways to maintain access. The first system I attacked was a Windows 2000 system. Exploiting the lsass vulnerability using metasploit, I obtained a reverse shell. With time on my side (knowing they had most likely not thoroughly check the system) I immediately added an account named "root" and added it to the "Domain Admins" group, followed by changing the administrator password. Next I looked around the system, and found a internal employee "phone directory" which I promptly moved to my system. This landed our team a good amount of points up front.

The Attacks ( This is a really good story, and a lot less technical. This was the second box I attacked within the first ten minuets. I more or less completed the same tasks as above on this system, which was also a Windows 2000 installation. The part worth mentioning however, was this was our teams system. Turns out, unbeknownced to me, one of our systems was having network issues at the start of the event, and they failed to give me this address. I completely "owned" one of my own systems. I then promptly reverted my changes back, and moved along.

The Attacks ( The system (Windows 2000) has VNC setup, with no password. I jumped on, changed the Administrator password, started to add a few users. And noticed Back Orifice was installed, so I started setting it up, but was promptly caught. Seems they made a mistake similar to mine. They VNC'ed into their own system, and thought they were in one of our systems. This accounted for the mouse moving. Dr O'Learly came to "score the breach" and informed them that they were on their system. Puzzled, they then fluttered to find out who was really on the system and setting up Back Orifice. Sitting on the box, they relized they were being attacked, and attempted to close my windows, which I just reopened. Then they attempted to shutdown the box, which I canceled, then they pulled the plug. Oh well, they still had to reset the password.

Guest SSH: One of the injects was to setup SSH on every system with a guest account. This more or less meant game-over. I used this to leverage further access for the remainder of the event.

(The rest of the attacks are not listed in any particular order. Nor are not the only attacks that were preformed, just the ones I have notes written for...)

The Attacks ( This was a Linux server, running http, ftp, and a few other services. The /etc/passwd file was set world-writable, so I changed the guest account to have a uid of 0, and changed the password. I then re-logged in, change the root password. Grabbed the shadow file, and began cracking the other user-account passwords. In attempt to maintain access I then grabbed a copy of the root ssh private key. For an added bonus, I changed the daemon account to uid 0. I trojaned su and ssh on the spot, with a quick bash script that would send me a copy of the password, I also redirected the root bash history to myself. I defaced the website, with something childish.

The Attacks ( Just defaced the website, world-readable, nothing special.

The Attacks ( This Linux server contained a ecommerce website. The database password was stored in a world-readable include file, giving me access to the database. I was then able to obtain customer information, including credit-card numbers (every time I say this people ask if they were I was also able to add myself as an administrator on the site. I then defaced the site (Changed all of the "Road-Runner" pictures to Bugs Bunny) and then for fun played around with some SQL injections.

The Attacks ( I swear this was a spitting image of the previous box, except it was a "bank" and contained bank information. And I deleted the bank instead of defacing it.

Defacements: Every time they reverted a site, I more or less changed it back. I erased key files (after "I" backed them up) and they then started to just leave comments, like "Stay Out". Or "You don't belong here". So I started leaving comments back like "Nor Do You", or "Nice Bank". The defacement became a ranting board between me and the other group, quite fun actually. One more note to add, I added a phpinfo() to most of the sites, just for fun.

Fork Bombs: Near the end of the event I became bored, and decided to just start messing with the systems. Deciding not to just rf -Rf / I started to fork bomb every system.

Filling The Disk: At the same time I was fork bombing the systems, I decided it would be fun to fill the hard-drives. So I wrote a few scripts that starting to fill the hard drive. At the end of the event, all of the Linux systems were between 80-90% filled. If we had a bit more time, they would have had a good amount of issues...

Syslog: At the ten minuets to the end of the event, both teams successfully rooted each others syslog server.

The Winner: Seems the best defense is a good offense. My team won, by a few hundred points.

That about wraps up the events, drop any questions in the comments. Look for a post on the results of the competition, during and after next weekend. Also take a look at the Interesting News Feed.

Saturday, March 1, 2008

Apple Sued Over iPhone Caller ID - Lawyer Taglines

The Article: Apple Sued Over iPhone Caller ID

The Summary: The Apple iPhone has a "two-line LCD" caller-id function, that [oh-my] tells you who is calling. Seems "Romek Figa" owns a patent for such a feature. Figa is attempting to have Apple pay damages and license the feature. Apple thus far is refusing thus the impending lawsuit. Seems other major phone companies have already abided by Figa's rules, but he hasn't chosen to go through the proper channels at Apple.

Comments: I really want to take this article in an entierly diffrent direction, but before I do so, I'll comment on the article. I don't have the patent information in front of me, so I am skeptical to the entire idea someone whos a patent on such a wide-spread feature. But I've seen worse patents, (the mouse?). Eitherway I'll point you to this other article I added to my feed: Patents, Copyrights, Trademarsk, Oh My!

Now, for the spin, and the true point of this post. If you look at the article you'll see an ever common tagline, although this one is funnier then most. " Disclaimer: Nilay is a lawyer, but he's not your lawyer, and none of this is legal advice or analysis." I laugh aloud everytime I read one of these. It reminds me of the "warning" on coffee (May Be Hot), or the cautions on strollers (Remove Child Before Closing). Are people really that dumb? Or wrose are they really that sue happy -- looking at the context of the article, I guess so. But do we now need to write a disclaimer each time we give our opinion based on a job title? Leave your thoughts in the comment section...

Disclaimer: Justin is a guy who is attempting to write a blog, but he doesn't write your blog. Anything within his blog should be consiered his own opinion and now yours. Unless it is your opinion too.